Responsible disclosure: If you have found a security vulnerability in any Genmars Tech / UrbanTrends.dev product or infrastructure, please email security@urbantrends.dev before public disclosure. We aim to respond within 48 hours.
1. Our commitment
Security is a core constraint at Genmars Tech, not an afterthought. We build software that handles real financial transactions — M-Pesa payments, property rent reconciliation, business leads — and we take the responsibility seriously. This policy describes how we protect your data and how you can report concerns.
2. Technical safeguards
Encryption
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using AES-256 or equivalent on all storage systems.
- M-Pesa credentials, API keys, and secrets are stored in an encrypted secrets manager — never in source code or environment files.
- Passwords are hashed using bcrypt with a minimum cost factor of 12.
Infrastructure
- Production systems run in isolated environments with minimal attack surface.
- Network access to databases and internal services is restricted to authorised application layers only.
- All infrastructure changes go through code review before deployment.
- Automated security scanning is run on dependencies and container images.
Access controls
- Production access is restricted to authorised personnel using multi-factor authentication.
- Principle of least privilege: each service and team member has only the permissions required for their role.
- Access logs are retained and reviewed for anomalies.
Payment security
- We do not store raw M-Pesa PIN or card numbers. Payment flows use tokenisation via Safaricom Daraja APIs.
- STK Push callbacks are validated against Safaricom's credentials before reconciliation.
- Idempotency keys are enforced on all payment writes to prevent duplicate processing.
3. Application security practices
- All code changes require peer review before merging to production.
- Input validation and output encoding are enforced at all system boundaries.
- SQL queries use parameterised statements to prevent injection.
- API rate limiting and authentication are enforced on all endpoints.
- Webhook endpoints verify signatures before processing any payload.
- Security-relevant dependencies are monitored and updated promptly.
4. Incident response
In the event of a security incident that affects your data, we will:
- Contain the incident and preserve forensic evidence.
- Notify affected users within 72 hours of confirming a breach (consistent with Kenya's Data Protection Act, 2019 obligations).
- Notify the Office of the Data Protection Commissioner (ODPC) as required by law.
- Publish a post-incident summary to affected customers within 30 days.
5. Responsible disclosure
We ask security researchers to:
- Report vulnerabilities to security@urbantrends.dev before any public disclosure.
- Include a clear description, reproduction steps, and — where possible — a proof of concept.
- Allow us reasonable time (minimum 90 days) to investigate and remediate before publishing.
- Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability.
- Not perform denial-of-service attacks or social engineering against our team or users.
We will acknowledge valid reports, keep you informed of our progress, and credit researchers in our security acknowledgements (if you wish to be named). We do not operate a paid bug bounty programme at this stage, but we genuinely appreciate responsible disclosure.
6. Scope
In scope for responsible disclosure:
- urbantrends.dev and all subdomains
- RentFlow, PortfolioU, TrendyyLeads, AcademyOS web applications and APIs
- Developer Tools (Daraja Playground, Scaffold CLI)
Out of scope:
- Third-party services we integrate with (Safaricom, KRA, banks) — report these to the respective organisations.
- Social engineering attacks against Genmars Tech staff.
- Physical security of our offices.
- Denial-of-service attacks.
7. Data protection alignment
Our security practices are designed to satisfy the technical security requirements of Kenya's Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021. For our full data handling practices, see our Privacy Policy.
8. Contact
To report a vulnerability or ask a security question:
Email: security@urbantrends.dev
Response time: We aim to acknowledge reports within 48 hours.
Genmars Tech
Floor 5, Room 354, GTC Towers, Chiromo Road
Westlands, Nairobi, Kenya · P.O Box 00100, 00800