Honest disclosure. Sanya is a young company. We've designed in the right security primitives from day one, but we are not yet audited to SOC 2, ISO 27001, or any other formal certification. This page tells you exactly what's in place today — no buzzwords, no aspirational claims dressed as facts. The certification path is on our roadmap; meanwhile, this page gives you everything you need to assess our actual posture.
Scope — managed platform vs. Sanya Cloud (VPS). The measures on this page describe the managed platform we run (Sanya Business, Sanya Host, SanyaSMS, Kanisa MS). Sanya Cloud (VPS) follows a shared-responsibility model: we secure the underlying infrastructure and control plane, but you control the operating system and everything inside your server — so backups of your VPS data and OS/software patching are your responsibility, not ours.
Quick summary
🔐
Encrypted everywhere
TLS 1.2+ in transit. AES-256 at rest via hosting provider. Passwords hashed with Argon2 / bcrypt — never stored in plaintext.
🧱
True tenant isolation
Each SaaS customer has their own MySQL database — no shared tables, so one tenant's data physically cannot leak into another's through application bugs. Sanya Cloud customers get a dedicated virtual server, isolated at the hypervisor.
🔑
2FA everywhere
Available to every account. Required for super-admins. Codes via SMS + email. 10-minute expiry, 5-attempt lockout.
📜
Full audit log
Every significant action (login, password change, plan change, recurring-rule edit, etc.) is logged with user, IP, timestamp. Retained 2 years.
💾
Daily off-site backups (platform)
Encrypted, retained 30 days. Recovery objective: < 4 hours from declared incident. Sanya Cloud VPS data is not backed up by us — that's your responsibility.
⏱
72-hour breach SLA
If we discover a personal-data breach affecting your workspace, you're notified within 72 hours — per PDPA requirements.
Application security
| Control | What we do | Status |
|---|---|---|
| SQL injection | 100% parameterised queries via PDO prepared statements. No string-concatenated SQL anywhere in the codebase. | Live |
| Cross-site scripting (XSS) | htmlspecialchars() applied to every variable rendered into HTML. No innerHTML with user content in client-side code paths. |
Live |
| Cross-site request forgery (CSRF) | SameSite=Lax session cookies. State-changing API actions verify the session before any DB write. | Live |
| Password storage | Argon2id (PHP password_hash()) — falls back to bcrypt on PHP versions where Argon2 is unavailable. |
Live |
| 2FA | One-time codes via SMS + email. 10-minute TTL. 5-attempt lockout per code. Optional for normal users, required for super-admins. | Live |
| Brute-force protection | Failed login attempts logged in audit_log. Rate limit on login + signup endpoints (5 attempts / hour / IP). Honeypot field on signup. |
Live |
| Session management | PHP session, 8-hour idle timeout, regenerated on login. Session ID rotated on privilege change (e.g. super-admin impersonation). | Live |
| File upload | Whitelist of allowed MIME types. Stored outside the web root, served through file.php with tenant ownership checks. |
Live |
| HTTP security headers | HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Content-Security-Policy in progress. | Partial |
| Code review for security | Every PR reviewed by a second engineer with a security checklist. External pen test planned for 2026 Q4. | Partial |
Infrastructure security
| Control | What we do | Status |
|---|---|---|
| Encryption in transit | TLS 1.2 minimum. TLS 1.3 preferred. HTTPS-only across sanya.tz, my.sanya.tz, all tenant subdomains, and admin.sanya.tz. |
Live |
| Encryption at rest | Hosting provider's disk encryption (LUKS / cloud KMS). Database-level encryption for sensitive columns (payment-related, audit-sensitive). | Live |
| Database isolation | One MySQL database per tenant. Each tenant DB has its own user with grants scoped to that DB only. No global GRANT *.* anywhere. | Live |
| OS & runtime patches | Platform & managed hosting: provider auto-patching enabled, PHP minor versions tracked, critical CVEs patched within 7 days, others within 30 days. Sanya Cloud VPS: patching the guest OS and your software is your responsibility. | Live |
| Backups | Platform: daily full backup of every tenant DB, encrypted, off-site, retained 30 days, restore tested quarterly. Sanya Cloud VPS: we do not back up your VPS — that is your responsibility (manual snapshots are self-service, not a backup). | Live |
| Firewall & WAF | Web application firewall (WAF) blocking known attack patterns. SSH key-only access for staff; root login disabled. | Live |
| DDoS protection | Cloudflare / hosting-provider edge mitigation. Application-level rate limits for login + signup. | Live |
| Geographic redundancy | Single-region production. Off-site backups in a different region. Multi-region active-active planned for 2027. | Planned |
Operational security
| Control | What we do | Status |
|---|---|---|
| Staff access to customer data | Restricted to active support tickets you've opened. Every super-admin access is logged in master_audit_log with action super_admin.impersonate — visible to you on request. |
Live |
| Confidentiality | All staff and contractors bound by confidentiality agreements covering customer data. | Live |
| Background checks | Reference checks for all staff with access to production systems. | Live |
| Quarterly access audit | Who can read what is reviewed every quarter and trimmed to minimum necessary. | Live |
| Incident response | Documented playbook covering detection, containment, investigation, customer notification, regulator notification (PDPC), post-mortem. | Live |
| Business continuity plan | RPO (recovery point objective) ≤ 24 hours. RTO (recovery time objective) ≤ 4 hours from declared incident. | Live |
Compliance & regulatory
| Framework | Status | Posture |
|---|---|---|
| Tanzania PDPA Act 2022 | Compliant. DPO appointed. Privacy notice published. Data subject rights operationalised. 72-hour breach notification. | Live |
| TCRA (SMS sending) | Sender ID registered. Opt-out respected. No SMS outside permitted hours unless transactional. | Live |
| TRA (tax compliance) | VAT collected on subscription where applicable. EFD-compliant invoice numbering supported for customers. | Live |
| EU GDPR | Aligned by design — hosting in EU brings us into GDPR scope by extension. Same controls, same DPO contact. | Live |
| SOC 2 Type I | Target: 2027. Internal readiness assessment underway. | Planned |
| ISO 27001 | Target: post-SOC 2. | Planned |
Vulnerability disclosure — we welcome reports
If you find a security issue in Sanya, please tell us before telling anyone else. We commit to:
- Acknowledge your report within 48 hours.
- Investigate and respond with a triage decision within 5 business days.
- Fix critical issues within 7 days, high-severity within 30 days, others within 90 days.
- Credit you publicly (if you wish) once the patch ships.
- Not pursue legal action against good-faith researchers acting within our disclosure policy.
Report security issues to security@sanya.tz. PGP key available on request.
What we do not have yet — and when we will
Being straight with you:
- No third-party penetration test report yet. First external pen test scheduled for Q4 2026. Report will be available under NDA after that.
- No formal SOC 2 / ISO 27001 audit. We follow the controls; we don't yet have the audit. Target: SOC 2 Type I in 2027, full ISO 27001 in 2028.
- No public uptime status page. Coming Q3 2026.
- No multi-region active-active. Single-region production with cross-region backups. Multi-region planned for 2027.
- No bug bounty programme. We pay informal rewards for high-impact reports today; formal programme planned once we have a triage team.
Asking for more
If you represent a larger organisation evaluating Sanya:
- A signable Data Processing Agreement is ready now.
- Security questionnaires (CAIQ, SIG Lite, etc.) — email security@sanya.tz. We typically turn these around within 5 business days.
- For a security walkthrough with our engineering team, contact legal@sanya.tz and we'll book a call.