Security & Data Protection

Your personal and financial information is protected at every step. Here is exactly how.

HTTPS Encryption

All data transmitted between your browser and our server is encrypted with TLS. No data is sent in plain text.

Password Hashing

Passwords are never stored. We store a bcrypt hash — even our team cannot see your password.

M-Pesa STK Push

We never see your M-Pesa PIN. Payment is authorised directly on your Safaricom handset via official Daraja API.

Rate Limiting

Login attempts are rate-limited by IP address to prevent brute-force attacks on accounts.

Session Security

Sessions are regenerated on login, use secure cookies, and expire automatically after inactivity.

Report Access Control

Credit reports are locked to the account that paid for them. Token-based access prevents unauthorised viewing.

How We Handle Your National ID

Your National ID number is required to match your identity against CRB records. It is transmitted securely over HTTPS to the Credit Reference Bureau API and is stored in your encrypted account profile. It is never shared with third parties outside of the licensed CRB query workflow.

M-Pesa Payment Security

We use the Safaricom Daraja API (STK Push) — the same API used by major Kenyan banks and retailers. The process:

  1. You confirm the amount on our site
  2. An STK Push notification is sent to your phone by Safaricom
  3. You enter your M-Pesa PIN directly on your handset — we never see it
  4. Safaricom confirms the transaction to our server
  5. Your report is unlocked immediately

We store only the M-Pesa transaction reference number (e.g. QGH3X2ABCD) for receipt purposes — never any payment credentials.

Data Protection Act Compliance

We operate in compliance with Kenya's Data Protection Act 2019 and the Office of the Data Protection Commissioner (ODPC) guidelines. We collect only the minimum data required for service delivery. You have the right to access, correct, and delete your data. See our Privacy Policy for full details.

Fraud Warning

Beware of fraudsters claiming to offer CRB clearance services or impersonating CRB Checker Kenya on social media or WhatsApp. We do not offer credit clearance, loan approvals, or any service not described on this website. If you receive such an offer, it is a scam. Report it to the DCI Kenya.

Report a Security Issue

If you discover a security vulnerability on our platform, please disclose it responsibly by contacting us at: support@crbcheck.com. Please include a clear description of the issue. We aim to respond within 48 hours.