Your money, protected to the last cent
At Centeem, security isn't an option: it's built into every line of code, every transaction, every identity check.
Mandatory identity verification
Before any transfer, every user completes an identity check (KYC): ID document photo + selfie + secure chip read of the document. No anonymous accounts.
Biometric lock on your phone
Face ID, fingerprint, or a 6-digit PIN. No one can open your Centeem without unlocking your phone — even if you lose it.
End-to-end encryption
Your data (transactions, balance, identity) is encrypted to international banking standards. No one — not even our staff — can read your private data.
AI fraud detection
Our system continuously monitors unusual activity (large transfers, suspicious accounts, abnormal geolocation). When in doubt, the account is frozen automatically.
Bank of Algeria compliance
Centeem is in the process of being licensed as a Payment Services Provider (PSP) by the Bank of Algeria, in line with Instruction 06-2025.
Money held in a custody bank account
Any money you deposit on Centeem is held in a separate custody bank account. Your money doesn't belong to Centeem: it's 100% yours.
Visible login history
You see in real time every device connected to your account. If anything looks wrong, you can remotely sign out any session.
Instant lock if lost
Phone lost or stolen? Simply signing in from another device lets you freeze your account instantly.
Architecture
3 independent lines of defence
Line 1 — On your phone
Your lock
- · Biometric lock
- · 6-digit PIN
- · Encrypted local data
Line 2 — In transit
The tunnel
- · End-to-end encryption
- · Hardened SSL certificates
- · Anti-replay signatures
Line 3 — Centeem side
The vault
- · Money in a custody bank account
- · Annual independent audit
- · 24/7 AI anti-fraud
Security tech stack
The algorithms & libraries we actually use
No marketing fluff — here are the concrete technical choices we make to protect your data.
Encryption
- TLS 1.3 on all transport (strict HTTPS, HSTS preload)
- AES-256-GCM for sensitive data at rest
- Argon2id for password hashing (vs vintage MD5)
- RSA-4096 / ECDSA for transaction signatures
Identity verification
- Secure chip read for biometric CIN + passport
- Cryptographic verification of the government signature
- 3D liveness detection (blink, turn, anti-photo, anti-video)
- Face match CIN vs selfie (score >0.92)
Backend infrastructure
- Node.js 22 LTS + Prisma + PostgreSQL 15 on Supabase
- Rate limiting per IP + per user + per endpoint
- Immutable audit log of every admin action (4-eyes principle)
- Daily encrypted backups (30-day retention)
Fraud detection / AML
- Rules engine: structuring, smurfing, fan-in, velocity, night activity
- CTR thresholds 1M DZD + monthly STR → CTRF (Article 88-90 BC)
- Shadow merchant detection (personal account used as a business)
- Automatic freeze on 3 HIGH/CRITICAL alerts within 24h
Audits & certifications
External controls
Annual BC audit
Financial + compliance audit by an independent external firm appointed by the Bank of Algeria. Report submitted to the regulator.
External pentest
Intrusion test by a fintech-focused cybersecurity firm. Web + mobile + API. Summary report published on this site.
ISO 27001 (targeted)
International certification for information security management. Process started with a specialist consultant.
PCI DSS equivalent
Although we don't process cards (strict PCI DSS doesn't apply), we follow its best practices (network segmentation, HSM-equivalent key management, centralised logs).
Bug bounty programme
Responsible disclosure programme
Centeem invites security researchers to report vulnerabilities within a legal and coordinated framework. The scale below describes the rewards applied based on severity.
RCE, admin access, major KYC bypass, theft of funds
Privilege escalation, user data leak, critical IDOR
Stored XSS, CSRF on a sensitive action, metadata leak
Reflected XSS, missing security header, info disclosure
How to report
- • Email security@centeem.com
- • PGP key available on request to encrypt sensitive details
- • Include: description, reproduction steps, estimated impact, proof (screenshots/video)
- • Response within 48h on business days
Programme rules
- • No attacks on real user accounts without their consent
- • No destructive actions (deletion, ransomware, DoS)
- • 90-day confidentiality before publication / disclosure
- • No CVE publication without prior agreement
- • First person to report = only one rewarded per vulnerability
🏆 Hall of fame: contributing security researchers will be listed here with their consent (empty for now — be the first).
Common questions
Your concerns, our answers
What happens if I lose my phone?
Sign in from another device with your email + password. You'll immediately see the list of connected devices and can sign them all out. Your money stays protected: without biometric access + PIN, no one can unlock it.
Is my money guaranteed?
Yes. Any money deposited is held in a custody bank account separate from Centeem's capital. If Centeem goes bankrupt, your money is returned to you in full.
Can Centeem see my transactions?
Our systems see metadata (amounts, dates) to detect fraud and produce your statements. But personal content (transfer notes, photos) is encrypted and inaccessible to our staff.
What if I spot a fraudulent transaction?
Freeze your account immediately from the app (Security → Freeze my account). Contact support within 48h: any fraudulent transfer is refunded after investigation.
Security in the app
You stay in control
Login challenge for every new device, real-time security alerts and a clear account overview.
Open a Centeem account
Coming soon on iOS and Android. Identity verification compliant with the Bank of Algeria's Instruction 06-2025.