Skip to content Skip to footer
Menu Close
Close
Online Banking
This is an empty menu. Please make sure your menu has items.

Security Statement

Last Updated: 10 November 2025

At PAA CAPITAL GROUP, safeguarding the confidentiality, integrity, and availability of customer information is a core obligation. As a licensed financial services provider and Virtual Asset Service Provider (VASP), we implement industry-leading security standards across all digital and operational systems. This Security Statement outlines how we protect your data, your accounts, and our infrastructure.

1. Our Security Commitment

We design all systems with a security-first approach. This includes multilayer protection, strict access controls, and ongoing risk assessments aligned with:

  • ISO/IEC 27001 principles

  • NIST Cybersecurity Framework

  • EU GDPR security requirements

  • Botswana Data Protection Act (2018)

  • Kenya Data Protection Act (2019)

  • FATF recommendations for VASPs

Security is continuously monitored, audited, and updated to respond to emerging threats.

2. Data Encryption

2.1 In Transit

All communication between your browser/app and our servers is encrypted using TLS 1.2+ with modern cipher suites.

2.2 At Rest

Sensitive data is encrypted with AES-256, and access is restricted using zero-trust principles.

2.3 On Mobile Devices

Mobile SDK traffic is fully encrypted, and sensitive actions require re-authentication.

3. Account Security

3.1 Multi-Factor Authentication (MFA)

Strong MFA is required for all users and staff. Additional device and IP risk scoring is performed during login and sensitive transactions.

3.2 Device & Session Monitoring

We detect unusual login patterns, device changes, and sessions originating from high-risk geographies.

3.3 Anti-Phishing Controls

We use domain protection (SPF, DKIM, DMARC) and enforce strong sender-verification practices to prevent phishing attempts.

4. Infrastructure & Application Security

4.1 Secure Hosting & Network Segmentation

Systems are hosted in compliant data centers with:

  • 24/7 monitoring

  • Network segmentation

  • Web Application Firewalls (WAF)

  • DDoS protection

4.2 Continuous Monitoring

Our Security Operations Centre (SOC) monitors:

  • Intrusion attempts

  • Fraud indicators

  • Authentication anomalies

  • Crypto-asset movement patterns

4.3 Patch & Vulnerability Management

Critical vulnerabilities are addressed with priority patching, supported by automated scanning and manual code reviews.

5. Payment & Crypto Security

5.1 Fiat Payments

All fiat transactions undergo layered AML/CFT controls, velocity checks, and beneficiary verification.

5.2 Digital Asset Security

As a licensed VASP, we use secure custody models, including:

  • Multi-signature wallets

  • Hardware-secured key storage

  • Transaction whitelisting

  • Real-time risk-scoring

5.3 Fraud Prevention

Machine-learning models monitor patterns associated with scams, mule activity, account takeover, or illicit crypto flows.

6. Staff Access & Insider Risk Controls

6.1 Role-Based Access Control (RBAC)

Only authorized personnel may access systems, and all access is logged, monitored, and regularly reviewed.

6.2 Mandatory Security Training

All employees—including contractors—receive regular training in:

  • Cybersecurity hygiene

  • Data protection

  • Financial crime prevention

  • Secure operational practices

6.3 Background Screening

Staff with elevated access undergo enhanced screening in line with regulatory obligations.

7. Independent Audits & Regulatory Oversight

We undergo scheduled reviews by:

  • Licensed auditors

  • IT security assessors

  • National regulators (financial and data protection)

These assessments cover AML/CFT controls, information security, privacy compliance, and operational resilience.

8. Incident Response & Business Continuity

8.1 Incident Response

We maintain a formal Incident Response Plan covering:

  • Detection

  • Containment

  • Forensic investigation

  • Notification (where required by law)

8.2 Business Continuity

Redundant systems, off-site backups, and failover processes ensure continuity of services.

9. Customer Responsibilities

While we maintain strong security controls, customers also play an important role:

  • Use strong, unique passwords

  • Enable MFA

  • Keep devices updated and secure

  • Never share login or recovery codes

  • Report suspicious activity immediately

10. Contacting Us About Security

If you wish to report a security concern, vulnerability, or suspected fraud, please contact us via:

Security Desk (preferred):
https://support.paacapital.com

Confidential Hotline (for sensitive matters):
https://ethics.paacapital.com

Postal:
PAA CAPITAL GROUP
Ludwigsplatz 5
67547 Worms, Germany

We do not recommend sending sensitive information via email.

11. Updates to This Statement

We may update this Security Statement to reflect technological, regulatory, or operational changes. Updates will be published on this page with an updated date.