Architecture
Severus runs a two-tier architecture: a gateway service that terminates customer traffic and a canonical core service that owns the data model. The gateway is what your browser talks to; the core service is private and never exposed to the public internet directly.
Authentication
- Bcrypt-hashed credentials at rest.
- Short-lived JWT access tokens with refresh-token rotation.
- TOTP-based multi-factor authentication for every account that approves money. Email-backup codes accepted in the same input field.
- Single sign-on via SAML / OIDC (enterprise plan).
Data protection
- TLS 1.2+ on every connection.
- Per-workspace tenancy boundaries enforced at the data layer.
- Backups encrypted at rest with a 30-day retention window.
- Soft-delete by default for every entity — destructive actions are recoverable up to the retention window.
Audit & monitoring
Every approval, disbursement, admin change, and authentication event is recorded to a tamper-evident audit log retained for at least 7 years. The log is read-only inside the product; unredacted exports are available to admins for compliance use.
Incident response
Customer-impacting incidents are tracked publicly on status.severus.ng. We commit to a postmortem within five business days for any sev-1 / sev-2 incident, posted to the same channel.
Reporting issues
Email security@severus.ng with any vulnerability disclosure. We respond within one business day. Please do not file public issues — we coordinate disclosure timelines with affected customers first.