In transit
Every connection to bustani.top and tenant subdomains is HTTPS-only with TLS 1.2+ and HSTS preload. HTTP requests redirect with 301 before any payload is read.
Security & compliance
Built to handle member data, dues, and welfare disbursements with the seriousness they deserve.
Bustani holds personally identifiable data, payment records, and welfare case notes for Rotary clubs across multiple jurisdictions. Here's exactly how that data is protected, who can reach it, and where it lives.
Encryption
Data is encrypted in transit, at rest, and in transactional flows.
At rest
PostgreSQL volumes are encrypted with AES-256 on DigitalOcean Managed Databases. Application-level encryption protects M-Pesa receipts, donor PII, and welfare case notes with rotating keys.
Secrets
API credentials live in environment-scoped secret stores, not in source. Rotation playbook is run quarterly and on any contributor offboarding event.
Access & isolation
Who sees what is enforced in the database, not just the screen.
Role-based access
Members, board, treasurers, district admins, and platform support each see a different slice of the data. Row-level security enforces tenant isolation in the database, not just the UI.
Audit log
Every dues payment, welfare disbursement, donor receipt, and admin action is recorded with actor, IP, timestamp, and before/after state. Retention is 7 years; export is available on Enterprise plans.
Tenant isolation
Each club is a Postgres-level tenant with subdomain-scoped routing. A treasurer in Club A cannot read a member list from Club B — verified continuously by automated tests.
Infrastructure
Hosting, backups, and the third parties we trust.
Hosting
Production runs on DigitalOcean's Frankfurt (FRA1) region by default. Custom regions — including Nairobi and on-prem — are available on Enterprise plans for data-residency requirements.
Backup & recovery
Database snapshots are taken every 6 hours with point-in-time recovery to any minute in the last 7 days. RPO ≤ 1 hour. RTO ≤ 4 hours for full-region failover. Disaster-recovery drills run quarterly.
Sub-processors
Stripe (payments), Safaricom M-Pesa (East Africa payments), DigitalOcean (hosting), Resend (transactional email). Full DPA available on request. Sub-processor changes are notified 30 days in advance.
Compliance frameworks
We follow the rules of the regions you operate in.
GDPR
Lawful basis, data-subject access, right-to-erasure, and data-portability flows are all built in. EU-resident data stays in EU regions when requested.
Kenya Data Protection Act 2019
Registered with the Office of the Data Protection Commissioner. M-Pesa transaction data, member PII, and welfare records are processed under documented lawful bases.
Rotary International data norms
Member directories, classification surveys, and district reporting follow Rotary's recommended privacy posture. No data is sold or shared with advertisers — ever.
Vulnerability disclosure
Found a security issue? We want to hear from you.
We treat security reports as our most important inbound mail. We acknowledge within one business day, triage within five, and credit reporters in our advisory log unless you ask us not to.
security@bustani.topSafe-harbour commitment
- Good-faith research that doesn't harm production data or other tenants will not be subject to legal action.
- No automated scanning of payment endpoints. No social-engineering of staff or members.
- Please give us 90 days before public disclosure. We'll move faster when we can.