Security & Trust

Your books, your customers, your cash — visible only to the people you choose.

Every feature in GwizaSuite is built on row-level security, full audit logging, and encrypted infrastructure. Here’s exactly how we protect your data.

Row-level security
Full audit log
🇷🇼Built for RRA
Encrypted at rest & in transit
Daily backups

What we promise.

In plain language, before the technical detail.

Only your team sees your data

Your inventory, invoices, customers, and payments are visible only to people you’ve invited to your branch. Not to us, not to other GwizaSuite customers, not to anyone else.

Every change is logged, forever

Who edited that invoice. When. From which device. We log every write to your data and keep those logs for the life of your account — exactly what the RRA asks for in an audit.

Your data stays yours

If you cancel, we export everything to CSV within 7 days and delete your account within 30 days. No lock-in. No hostage data.

Your team’s access matches their role

A storekeeper can’t edit the ledger. A salesperson can’t close a period. Seven role types, each scoped to what they actually do.

We back up your data every day

Automatic encrypted backups every 24 hours. 30 days of point-in-time recovery. If something breaks, we can restore your books to any point in the last month.

How it works under the hood.

For IT teams, accountants, and anyone doing the diligence.

Row-Level Security

Every table, every row, scoped to a branch.

GwizaSuite runs on PostgreSQL with Row-Level Security (RLS) policies on every table that holds customer data. Every row carries a branch_id. Every query — whether from the staff dashboard, the customer portal, or a direct database connection — is filtered against the authenticated user’s branch_id at the database level.

  • Enforced in the database, not the application layer
  • Cannot be bypassed by a bug in our code
  • Verified by automated test suite on every deploy
  • Audited by external reviewer each quarter
-- Simplified RLS policy on the invoices table
CREATE POLICY "branch_isolation" ON invoices
  FOR ALL
  USING (branch_id = (
    SELECT branch_id FROM users
    WHERE id = auth.uid()
  ));
Simplified. Our real policies also enforce role-based column-level permissions.
Rwanda-first compliance

Built for the RRA. Not retrofitted.

Most accounting tools treat Rwandan tax compliance as an afterthought. We treat it as the foundation. Your GwizaSuite account is audit-ready from day one.

  • 18% VAT automatically calculated and tracked per invoice
  • VAT return summaries exportable in RRA-accepted formats
  • 7-year retention on all financial records, per RRA requirement
  • EBM (Electronic Billing Machine) integration roadmap published
  • Quarterly compliance review with a Rwandan-licensed accountant
  • Periods lock on close — auditors see a frozen, tamper-evident ledger
What RRA auditors ask for — and where we keep it
Show me all sales for Q3 2025
Reports → Sales export (CSV/PDF)
Who edited invoice #1042?
Audit log → Filter by record
Prove VAT was collected on order #850
Invoice → VAT breakdown
List all voided invoices last year
Sales → Filter: status=void
What was inventory value on Dec 31?
Stock ledger → Point in time
Show me the locked period for 2024
Accounting → Periods → 2024-Q4

When something goes wrong, here’s what we do.

No system is invulnerable. The question is how you respond.

We detect

Automated alerts on unusual access patterns, failed logins, database anomalies. On-call engineer paged within 5 minutes.

We contain + investigate

Affected systems isolated. Root cause analysis within 24 hours. Forensic trail preserved via audit log.

We tell you — fast

If your data was affected, we email every affected account owner within 72 hours. Full post-mortem published within 14 days, regardless of severity.

Found a security issue?
Report it to security@gwizasuite.com. We respond within 24 hours and publish a hall-of-fame for responsible disclosures.
security@gwizasuite.com
Need a deeper document for your audit or procurement team?

Download our full Security & Compliance Brief (PDF, 18 pages). Covers infrastructure, encryption, backup procedures, incident response playbook, data processing addendum, and a complete RLS policy index.

Download Security Brief (PDF)Request a DPA (Data Processing Agreement)

Security FAQ.

The questions procurement teams and accountants actually ask.

Your production data is hosted in a managed EU region with redundant availability zones. Daily encrypted backups are retained for 30 days. We can provide the exact region under NDA during procurement — we intentionally don’t publish vendor names so we can change infrastructure without breaking trust.

Trust, then verify.

Start your 14-day trial. Inspect every audit log, every role, every backup — with your own data.

Start free trialOr book a security walkthrough
Security & Trust | GwizaSuite