Your documents. Protected.
XOYA processes passport scans, bank statements, and personal documents. We take that seriously. Here is exactly how we handle your data.
Where we stand.
How we protect your data.
Encryption in transit and at rest
All documents are transmitted over TLS 1.3 and stored with AES-256 encryption at rest. No exceptions.
Data residency
African applicant data is stored on servers within Africa. Enterprise and government partners can specify data residency requirements.
Retention limits
Documents are retained only for the duration of the application process plus a statutory compliance window. Applicants can request deletion at any time.
No third-party data sales
XOYA does not sell, share, or monetize applicant document data. Documents are not used to train third-party models without explicit consent.
Audit-grade logs
Every action on every document is logged with timestamp, actor, and action. Logs are immutable and available to enterprise partners.
Role-based access controls
Applicant documents are accessible only to the applicant, their designated XOYA case manager, and authorized organizational admins.
You own your data.
Request a copy of all personal data XOYA holds about you at any time.
Request deletion of your personal data. XOYA will comply within 30 days, subject to legal retention obligations.
Request your data in a structured, machine-readable format.
Object to processing of your personal data at any time.
Request correction of inaccurate personal data.
Responsible disclosure.
If you discover a security vulnerability in XOYA infrastructure, we ask you to disclose it responsibly. We commit to acknowledging valid reports within 48 hours and resolving critical issues within 30 days.
Report to: security@xoyavisa.io