Trust center

Trust, security, and data at RSBazaar

A practical summary of how we protect accounts, payments, and personal data — and how to reach us when something looks wrong.

Security practices

The controls below are live across rsbazaar.org. They evolve; the latest behaviour is what runs in production.

Encryption in transit

Every byte between your device and rsbazaar.org is delivered over TLS with HSTS preloaded, so browsers refuse the unencrypted fallback even on first visit.

Strong sign-in

Passwords are stored as salted Argon2 hashes. Time-based one-time passcodes (TOTP) protect withdrawals and sensitive changes; recovery codes are issued only once and never re-shown.

Default-deny staff access

Staff roles are additive and least-privilege. Sensitive customer data is redacted by default; reveals require a typed reason and are written to an append-only audit log.

Tamper-evident audit chain

Console mutations write a hash-chained event with the previous event's digest. Verification cron checks integrity nightly and raises an incident if the chain breaks.

CSRF + Sec-Fetch enforcement

State-changing requests must originate from a same-origin browser tab with intact Sec-Fetch metadata; cross-site posts are rejected with a 403 reason code, not silent acceptance.

Continuous abuse detection

Rate limits, per-actor buckets, and anomaly rules feed a Trust Queue that escalates by severity. Staff act on bundled evidence, never on a one-line alert.

Data handling & retention

Plain-language summary; the legally binding text lives in our Privacy Policy and Terms of Service.

Data	Retention	Why we keep it
Authentication & session events	2 years (rolling window, then deletion)	Investigate account takeovers, support replay-resistant disputes.
Order, payment, and wallet ledger entries	7 years from completion	Legal and tax obligations for a financial marketplace.
KYC documents & decisions	Retained for the life of the account + 5 years; encrypted at rest	AML compliance and dispute resolution.
Hash-chained audit events	2 years for non-financial events; 7 years for events tied to money or KYC	Tamper evidence; staff and regulator review.
Marketing & analytics consent state	Until you change it; latest value wins	Honor opt-outs immediately and demonstrate consent.

Your self-serve controls

Manage your own copy of the data and your privacy preferences from the Account → Security & privacy hub. Request a portable export, change marketing and personalisation toggles, or open Account settings to close your account.

Incident handling

How we respond when something does go wrong. Public postmortems for customer-impacting incidents will be listed below.

Detection

Automated checks (rate limits, anomaly rules, integrity verifier) plus monitoring alerts surface issues to on-call within minutes.

Triage

An incident manager classifies severity, assigns an owner, and opens a private incident channel. Customer impact is the first question.

Containment

Affected sessions can be revoked, withdrawals frozen, and exposed credentials rotated. Staff actions during incidents are themselves audited.

Communication

When an incident affects you, we email the registered address with what happened, what we did, and what you should do. We do not hide downtime.

Postmortem

After the fix, we write a public-friendly summary on this page. The full internal postmortem covers root cause, timeline, and prevention work.

Recent incidents

No customer-impacting incidents have been disclosed. Live operational status of every customer-facing surface is on the System status page; postmortems for any future customer-impacting incident will appear there with timing, scope, and the prevention work we did.

How to reach us

Pick the right channel so the right team sees your message first.

Security report

Suspected vulnerability or active abuse against the platform. security@rsbazaar.org. Please include reproduction steps; do not exploit beyond what is needed to demonstrate the issue.

Customer support

Account, order, payment, or wallet questions. Use Support or support@rsbazaar.org.

Legal & compliance

Subpoenas, data preservation, or legitimate law-enforcement requests: legal@rsbazaar.org. Privacy questions: privacy@rsbazaar.org.

Reference documents

Data

Retention

Why we keep it

Authentication & session events

2 years (rolling window, then deletion)

Investigate account takeovers, support replay-resistant disputes.

Order, payment, and wallet ledger entries

7 years from completion

Legal and tax obligations for a financial marketplace.

KYC documents & decisions

Retained for the life of the account + 5 years; encrypted at rest

AML compliance and dispute resolution.

Hash-chained audit events

2 years for non-financial events; 7 years for events tied to money or KYC

Tamper evidence; staff and regulator review.

Marketing & analytics consent state

Until you change it; latest value wins

Honor opt-outs immediately and demonstrate consent.