INOPAY
TRUST CENTER

Built to pass legal teams and regulators

Documented non-custodial architecture, auditable security, public compliance. Inopay never touches funds or assets.

Non-custodial architecture

Client funds flow from the PSP to the licensed SGI and on to the market. Inopay is never on the path of fiduciary flows: we transmit signed instructions only.

PSP / client walletLicensed SGI segregatedMarket (BRVM, BVMAC, GSE)Funds + securities flowInopay (orchestration)Ed25519-signed instructions
  • Funds move from the PSP to the SGI segregated account, never into an Inopay-controlled account.
  • Securities are registered at the SGI in the end user's name, in line with local regulation.
  • Inopay only emits cryptographically signed instructions, verifiable offline.
  • No discretionary mandate, no proprietary positions, no asset custody on Inopay's side.

Security

End-to-end security on communications, storage, and the signing chain.

Encryption in transit

TLS 1.3 enforced on every public endpoint. HSTS preload, certificate pinning on native SDKs.

Encryption at rest

AES-256-GCM for sensitive data. Keys managed by KMS, automatic rotation, environment separation.

Audits & certifications

Quarterly security audits by independent firms. ISO 27001 certification targeted for 2026.

Insurance & continuity

Dedicated cyber policy, semi-annual continuity drills, RTO and RPO published in a signed memo.

Regional compliance

Three regulators, one public doctrine. Continuously updated, available to legal teams and regulators alike.

CREPMFWAEMU / BRVM — technical intermediation provider, orders executed by licensed SGIs.Read details COSUMAFCEMAC / BVMAC — articulation with licensed SGIs, public Inopay position.Read details SEC GHANAGhana / GSE — articulation with Licensed Dealing Members, full English version available.Read details
See full doctrine

SGI partnerships

Discussions are under way with several licensed SGIs across the three zones (WAEMU, CEMAC, Ghana). Official announcements will follow the first signed pilot.

Transparency through hash-chain audit

Every routed order is hashed and chained to the previous one. The daily root hash is anchored publicly. Anyone can verify offline that no order has been altered after the fact.

1. Per-order fingerprint

Each order produces a SHA-256 hash including its timestamp, signed payload and the previous order's hash.

2. Daily anchoring

The daily root hash is published, signed Ed25519 and anchored on a public registry.

3. Offline verification

Open-source CLI tool to replay the chain and confirm hash integrity over any time window.

View public audit

Bug bounty program

Public program in preparation. Until official launch, security researchers can reach our team directly to report vulnerabilities under coordinated disclosure.

Responsible disclosuresecurity@getinopay.com
Report a vulnerability

Trust contacts

Security teamsecurity@getinopay.com
Compliance teamcompliance@getinopay.com
Data Protection Officerdpo@getinopay.com

Auditors have questions?

Send us your due diligence checklist. We answer document by document, signed by our compliance team.

Request an audit