Back to blog
Team

Behind the scenes: how we do security at GwizaSuite

RLS on every table, audit log on every write, quarterly restore drills, and a hall of fame for responsible disclosures. The playbook, warts and all.

Alice Kayitesi, Co-founder·10 min read·January 13, 2026
BEHIND THE SCENES
Photo: Kigali, 2026.
Share

Why we’re publishing this

We get asked about security less often than we’d like. Most suppliers assume that if the software works, the security works — and most of the time, they’re wrong to assume. Here is the full playbook, warts and all.

Row-level security on every table that holds customer data

Every table carrying a customer’s data has a branch_id column. Every query — from the dashboard, the portal, or a direct database connection — is filtered against the authenticated user’s branch_id at the database level, not the application level. That means a bug in our code can’t accidentally leak another branch’s invoices, because the database refuses before the app even asks.

Audit log on every write

Create an invoice, void a payment, close a period, edit a credit limit — every mutation writes an append-only row to the audit_events table: actor, timestamp, IP, user-agent, module, action, before-value, after-value. Users can’t edit or delete audit rows. The table is retained for the life of the account — seven years minimum, per RRA.

Encryption, both directions

  • TLS 1.3 for all client-server traffic.
  • AES-256 at rest on the database, backups, and file storage.
  • Secrets in an encrypted vault, not environment files.
  • bcrypt-hashed passwords. No plaintext, ever.

Backups we actually test

Daily encrypted backups, retained 30 days, with point-in-time recovery across the window. Every quarter, we do a restore drill — take a real backup, restore to a fresh environment, walk the data. Backups that are never tested are not backups; they’re wishful thinking. Our restore drills have caught two minor issues in two years. Both were fixed within a week.

Hall of fame for responsible disclosure

If you find a security issue, email security@gwizasuite.com. We respond within 24 hours, publish a coordinated-disclosure timeline, and — with your permission — credit you on our hall-of-fame page. Two researchers have filed reports so far; both are named there.

What we’re not going to tell you

We don’t publish infrastructure provider names, region specifics, or the exact list of IPs with production access. That information is available under NDA during procurement — we just don’t make it a public shopping list for attackers.

Security is a process, not a feature. If any of this surprises you, or if you want the long-form version for a procurement review, write to security@gwizasuite.com and we’ll send you the 18-page brief.

More on this topic

VAT 18%RRA
Tax & RRA

The 6 questions the RRA actually asks during an audit

We interviewed 12 accountants who’ve sat through a recent RRA audit. The questions are more specific — and more answerable — than you think.

Jean-Paul Habimana·8 minMarch 15, 2026
VAT 18%RRA
Tax & RRA

How to close your books in under an hour (template included)

A step-by-step routine one Rwandan accountant uses to close her branches every month before lunch. Plus the checklist she prints and pins to the wall.

Aline Uwimana·6 minMarch 8, 2026
RWF ↑ 28%
Cash Flow

The real cost of paper invoices — a Kigali wholesaler’s numbers

One Kimironko wholesaler tracked every shilling lost to misfiled receipts, late VAT, and forgotten credit. The annual bill: 3.8M RWF. Here’s how.

Eric Mugisha·7 minMarch 1, 2026

The short version, every other Friday.

One email. Three things worth your time. No AI-generated filler. Unsubscribe in one click — we won’t hold it against you.

We currently have 2,400 readers. Started from 3 (the three founders). Transparency matters.

GwizaSuite handles all 6 of these questions in one click.

Start your 14-day trial — see how audit-ready books feel.

Start free trial
Behind the scenes: how we do security at GwizaSuite