We document what's actually in place, not aspirational checklists. If a control is listed here, you can find it in our codebase or infrastructure configuration today. If it's missing, we'll get to it, and it will appear on this page when it ships.
Kigs Apex products, including CashTrace and Rentisha, run on Google Cloud Run. Cloud Run containers are ephemeral, auto-scaled, and isolated at the VM boundary by gVisor. Production traffic terminates TLS at Google's load balancer before reaching our services.
Compute
Google Cloud Run (Nairobi-region eligible; failover across EU-West regions where applicable).
TLS
Enforced by Google Cloud load balancer. HTTP is not accepted.
Container runtime
Dockerised, standalone Next.js output (output: 'standalone' in next.config.js).
Secrets
Managed via Google Secret Manager and environment variables, not committed to source.
Every response from kigsapexsolutions.com carries the following security headers (configured in next.config.js):
HSTS
max-age=31536000; includeSubDomains; preload. All subdomains forced to HTTPS for one year.
X-Frame-Options
DENY. The site cannot be embedded in third-party iframes.
X-Content-Type-Options
nosniff. Browsers must honour declared MIME types.
Content-Security-Policy
default-src 'self'; frame-src limited to google.com and maps.google.com; connect-src 'self'; frame-ancestors 'none'.
Referrer-Policy
origin-when-cross-origin. External referrers leak origin only, not path.
Permissions-Policy
Camera, microphone, geolocation, payment, USB, accelerometer, gyroscope, magnetometer all denied by default.
Public API routes on this site (contact form, questionnaire, newsletter) enforce request-origin validation and per-IP rate limits before processing. The implementation lives in lib/rateLimit.js and lib/security.js.
Origin allowlist
Requests must originate from kigsapexsolutions.com (or localhost in development). Missing or mismatched Origin/Referer is rejected.
Rate limits
Per-IP sliding-window counters. Subscribe: 3/hour. Contact submissions: limited at the server level.
Log hygiene
User input is sanitized before any logging (sanitizeForLog in lib/security.js), no raw user content in logs.
Input validation
Email and phone patterns validated server-side regardless of client-side checks.
Rentisha, our property operations product, handles tenant and owner data. It is designed to comply with Kenya's Data Protection Act 2019 and the regulatory posture expected by the Office of the Data Protection Commissioner (ODPC).
Consent capture
Tenants explicitly consent to data processing at onboarding. Consent state is stored and surfaced in their portal.
Purpose limitation
Tenant data is used for rent collection, arrears follow-up, maintenance, and compliance, not marketed or sold.
Right of access
Tenants can download their own ledger, statements, and lease documents from the Rentisha portal at any time.
SMS channel
Outbound SMS is routed through a CA-licensed bulk SMS provider with registered business Sender ID.
Anti-harassment caps
Automated tenant messaging includes frequency caps, mandatory opt-out language, and immutable audit of every message sent.
Invoices issued through Rentisha are transmitted to the Kenya Revenue Authority via the eTIMS API at the moment of issue. This keeps the landlord's VAT and withholding posture synchronised with KRA without a separate filing step.
Transmission
Every invoice reaches KRA eTIMS within the same request cycle as issuance. Failures are queued for retry and surfaced on the compliance dashboard.
Audit log
Every eTIMS submission is written to an append-only audit log per invoice, retained for the statutory period.
If you believe you've found a security issue in any Kigs Apex product or on this site, email security@kigsapexsolutions.com or info@kigsapexsolutions.com. We acknowledge reports within 48 business hours, give a triage decision within 5 business days, and keep reporters updated through remediation. We don't threaten good-faith security researchers with legal action.
Acknowledgement SLA
48 business hours from report receipt.
Triage SLA
5 business days for a severity classification and remediation timeline.
Disclosure
Coordinated. We prefer private disclosure first; happy to credit reporters publicly on resolution.
We don't hide incomplete work. At the time of writing:
Updates to this page appear in the changelog.