Compliance & Security

Our commitment to protecting your data and maintaining the highest standards of security and regulatory compliance.

Last updated: January 2026

1. Our Commitment

At MOMO LENS, we take compliance and security seriously. We are committed to protecting your data and maintaining compliance with all applicable laws and regulations in the jurisdictions where we operate.

This page outlines our compliance framework, security measures, and certifications. For detailed information about how we handle your data, please see our Privacy Policy.

2. Regulatory Compliance

We comply with data protection and privacy laws in all jurisdictions where we operate:

GDPR (EU/UK)

General Data Protection Regulation compliance for European Union and United Kingdom users.

Zambia Data Protection Act 2021

Full compliance with the Data Protection Act No. 3 of 2021.

Nigeria Data Protection Regulation

Compliance with NDPR 2019 and Nigeria Data Protection Commission requirements.

Kenya Data Protection Act

Compliance with the Data Protection Act, 2019 and Office of the Data Protection Commissioner requirements.

Tanzania Personal Data Protection Act

Compliance with Tanzania's Personal Data Protection Act.

South Africa POPIA

Compliance with the Protection of Personal Information Act (POPIA) and Information Regulator requirements.

Ghana Data Protection Act

Compliance with the Data Protection Act, 2012 and Data Protection Commission requirements.

Uganda Data Protection Act

Compliance with the Data Protection and Privacy Act, 2019.

Thailand Personal Data Protection Act

Compliance with Thailand's Personal Data Protection Act (PDPA).

3. Security Standards

We implement industry-leading security measures to protect your data:

Encryption

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • End-to-end encryption for sensitive data
  • Encrypted backups stored securely

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) for staff
  • Secure password policies (minimum 8 characters, hashed with bcrypt)
  • JWT token-based authentication
  • Session timeout and automatic logout
  • Strict data isolation between merchants

Monitoring & Auditing

  • Comprehensive audit logging for all data access
  • Real-time security monitoring and alerting
  • Intrusion detection and prevention systems
  • Regular security audits and penetration testing
  • Activity tracking and anomaly detection

Infrastructure Security

  • AWS cloud infrastructure with enterprise-grade security
  • Firewalls and network segmentation
  • DDoS protection and mitigation
  • Regular security patches and updates
  • Disaster recovery and business continuity plans
  • 99.9% uptime SLA target

4. Data Protection Measures

4.1 Data Minimization

We only collect and process the minimum amount of personal data necessary to provide our Service. We do not collect data "just in case" or for purposes unrelated to service delivery.

4.2 Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes. We do not use your data for purposes incompatible with those for which it was collected.

4.3 Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Financial records are retained for 7 years as required by regulations.

4.4 Data Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. You can update your information at any time through your account settings.

4.5 Data Subject Rights

We respect and facilitate your data protection rights, including access, rectification, erasure, portability, and objection. See our Privacy Policy for details on how to exercise these rights.

5. Third-Party Service Providers

We use trusted third-party service providers that maintain high security and compliance standards:

Stripe (Payment Processing)

PCI DSS Level 1 certified, SOC 2 Type II compliant. All payment data is processed securely by Stripe. We never store full payment card details.

Learn more about Stripe's security →

AWS (Cloud Infrastructure)

ISO 27001, SOC 1/2/3, PCI DSS Level 1, HIPAA, GDPR compliant. Enterprise-grade security and compliance certifications.

Learn more about AWS compliance →

Google (OAuth Authentication)

GDPR compliant, SOC 2/3 certified. Used only for optional OAuth authentication.

Learn more about Google's privacy →

All third-party service providers are contractually obligated to maintain appropriate security measures and comply with applicable data protection laws.

6. Incident Response & Breach Notification

We have established procedures for detecting, responding to, and reporting security incidents:

  • Incident Detection: Automated monitoring, alerting, and security event detection
  • Response Procedures: Documented incident response plan with defined roles and responsibilities
  • Breach Notification: We will notify affected users and relevant data protection authorities within 72 hours of becoming aware of a data breach, as required by law
  • Remediation: Immediate containment and remediation measures to address security incidents
  • Post-Incident Review: Analysis and improvement of security measures following incidents

7. Compliance Monitoring & Auditing

We maintain ongoing compliance through:

  • Regular internal compliance reviews and assessments
  • Annual security audits and penetration testing
  • Continuous monitoring of regulatory changes and updates
  • Staff training on data protection and security best practices
  • Documentation of compliance measures and procedures
  • Regular updates to policies and procedures to reflect legal requirements

8. Security Practices & Standards

We follow industry best practices and standards:

  • OWASP Top 10: Protection against common web application vulnerabilities
  • NIST Cybersecurity Framework: Risk-based approach to cybersecurity
  • ISO 27001 Principles: Information security management best practices
  • Privacy by Design: Data protection built into system architecture
  • Defense in Depth: Multiple layers of security controls
  • Least Privilege: Users and systems granted minimum necessary access

9. Your Responsibilities

While we implement strong security measures, you also play a role in protecting your data:

  • Use a strong, unique password for your account
  • Keep your account credentials confidential
  • Enable multi-factor authentication if available
  • Log out when using shared devices
  • Keep your app and device software up to date
  • Report any suspicious activity or security concerns immediately
  • Comply with applicable data protection laws when collecting customer data
  • Obtain necessary consents for data collection and processing

10. Compliance Inquiries

If you have questions about our compliance practices or security measures, please contact us:

Compliance: compliance@momolens.com

Security: security@momolens.com

Privacy: privacy@momolens.com

Support: support@momolens.com

Privacy PolicyTerms of ServiceContact UsHome