Trust & Security
Our commitment to the security of your data and money — with proof you can verify, not just claims.
Live Metrics
—
Admins with MFA
Lagi nunggu data
—
Median withdrawal time
Datanya belom cukup nih
AES-256-GCM
Zero plaintext passwords
Detail akun dikunci rapat di server sebelom disimpen. Kuncinya nggak pernah ditaro di browser.
SHA-256 hash chain
Tamper-evident audit log
Tiap gerak-gerik admin dikunci kriptografik — kalo ada yang ngakalin pasti ketauan.
Technical Claims (Verifiable in Source)
Enkripsi data Juragan
AES-256-GCM
Bukti: worker/src/crypto.js
Key derivation
PBKDF2-SHA256, 100k iter
Bukti: worker/src/crypto.js
Audit chain algorithm
SHA-256
Bukti: docs/architecture/BACKEND_ENGINEERING.md §Hash Chain
TLS minimum
TLS 1.3
Bukti: Cloudflare edge configuration
Firestore Rules posture
Deny-by-default, server-only writes untuk finansial
Bukti: firestore.rules
Client-side crypto removed
CVE-17 closed (May 2026)
Bukti: src/utils/crypto.js (file stub)
What we don't do
- Nyimpen password kamu bugil tanpa dienkripsi. Semua udah dikunci sebelom masuk database.
- Naro kunci enkripsi di browser / Javascript. Kuncinya cuma ada di server terisolasi Mimin.
- Jual/bagi data kamu ke pihak lain. Analitik publik cuma nampilin angka totalan (nggak ada nama/email pribadi).
- Ngasih akses admin tanpa MFA. Semua pergerakan admin wajib pake keamanan ganda (TOTP) & masuk log riwayat.