Trust: Infrastructure and Technology

System Reliability

Minimum committed uptime

Transactions successfully processed*

*Minimum commitment

Committed support availability

“Electrum is committed to the pinnacle of security and compliance. Customers trust our technology and infrastructure to perform, to be available, and to be secure.”

Ferdi Immelman

Chief Information Officer


Electrum undergoes independent third-party audits to attest and certify Electrum’s security, data privacy and compliance controls to help meet customers’ legal, regulatory, and organisational policy requirements.

ISO 27001

Electrum maintains an ISO 27001 certification, which outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.

Payments Association South Africa (PASA) Certification

Electrum is authorised in terms of the National Payment System Act, 1998, as a System Operator in the following payment systems: EFT DEBIT| EFT CREDIT| RTC SERVICE| RAPID PAYMENTS.

Data Security

Cloud security

Electrum uses Amazon Web Services (AWS) to run our infrastructure, allowing us to blend our own information security practices with AWS's robust security and privacy features to maintain a secure cloud environment.

Data encryption

Electrum uses different methods and protocols to turn data into an unreadable format, ensuring that the data is safe from unauthorised access. Data is encrypted both at rest and in transit using the industry-leading encryption standards.

Data privacy

At Electrum, we shape our privacy rules following the South African Protection of Personal Information Act (POPIA). Our ISO 27001 certification process is aligned with POPIA requirements.

Cyber defence

Electrum has implemented specialised tools in our environment to detect and defend against cyber-attacks. In addition, we incorporated various cloud security features that actively scan for, identify and immediately alert our cybersecurity team of potential threats.

Business continuity and disaster recovery

Electrum maintains a Business Continuity Policy (BCP) and Disaster Recovery Plan (DRP), which mandates that the BCP and DRP, testing, and procedures are updated and performed on a regular basis.

Security and privacy by design

Electrum’s coding process is secure and follows industry best practices. We assess risks, use secure engineering principles such as code training and analysis, and prioritise information security and privacy in new projects. We have a solid change control process, separate development environments, and thorough testing for updates.

Vulnerability prevention

Electrum uses industry-leading security tools that automatically check for security issues in our environments. If we find a problem, we carefully assess the associated risk and find a way to remediate it. We also conduct annual penetration testing to uncover any other weaknesses.

Staff security

Electrum implements security controls for employees and contractors before, during, and after their engagement with Electrum. These controls include information security and privacy (including POPIA) training.

Use of customer data

Electrum operating as a data processor does not sell, share, or export customer data to third parties. We use customer data only to provide and improve our service.

Data recovery

We regularly back up data. The target recovery point objective in respect of customer data is one day and the target recovery time objective in respect of the SaaS Services is four hours.

Data retention

Electrum offers 90 days of online storage for searchable customer transaction records and up to 10 years of archival storage for compliance and audit transaction records.

Security incidents

Electrum established an incident management process and procedures to ensure the timely detection of and support of the rapid response to security incidents. In the event of a confirmed incident involving customers’ data, we will notify the customer within the time frame required under applicable law or as contractually agreed.