Trust Center · v1
How Pakstoor protects you.
Pakstoor is new. We don't have a wall of certifications — yet. What we do have is a small set of design choices that make the South African scams everyone knows impossible on this platform. Here's what's live today, what's in progress, and what we openly don't have yet.
Money
How your funds move — and why neither party can run.
TradeSafe escrow
Every payment is held by TradeSafe — a South African escrow service licensed under the Financial Intermediary Services Act. Pakstoor never touches your money. Funds release to the seller only when the buyer confirms the parcel arrived intact, or after a courier-confirmed delivery + 72-hour inspection window.
Disputes freeze the funds
Either party can open a dispute on the deal page. Once raised, the funds in escrow stay frozen until both sides — with TradeSafe as the third party — reach resolution. There is no “buyer pressed dispute, money refunded by morning” loophole.
Pakstoor's fee is transparent
5% commission, deducted from the seller on completion. Buyers pay item price plus the courier and the TradeSafe escrow fee — no Pakstoor fee added on top of what the buyer sees. Every cost line is shown before you click Pay.
Verified seller badge (FICA)
TradeSafe runs an FIC-aligned identity and bank-account verification (an AVSR check) on every payout-enabled seller. Once verified, the seller will display a gold “Verified” badge on their listings and profile. Currently in build.
Delivery
Why we removed the riskiest step in private sales.
Courier only — no in-person
Pakstoor does not facilitate in-person handovers. Every parcel goes through The Courier Guy / Shiplogic with a tracked waybill. Sellers cannot type a tracking number themselves — the waybill is auto-booked by Pakstoor and the seller receives the printable label.
Insurance bundled in
Every booking opts into the courier's paid liability cover where the parcel + route are eligible. The cost is included in the “Courier” line on the buyer's breakdown. The TradeSafe escrow is the real buyer protection — courier cover is a second layer with its own conditions and exclusions, not a guarantee. If a courier claim is denied, escrow is what gets you your money back.
Live courier tracking
Courier scan events stream into your deal page. We surface every transition — collected, at hub, out for delivery, delivered — and mirror them onto TradeSafe's ledger so the dispute record carries third-party-corroborated evidence at every step.
Signed delivery receipts
When you click “Confirm receipt”, a signed timestamp will be pushed to TradeSafe so a later “I never got it” dispute is bullet-proof. Architecture work in progress.
Data & accounts
What we collect, how we store it, and what you can ask for.
Encrypted in transit
HTTPS site-wide. HSTS is enforced. Modern TLS only — SSL Labs configuration with HTTP/1.1 and HTTP/2 over TLS 1.2+. No mixed content, no plain HTTP. The certificate is Let's Encrypt or equivalent in production.
Argon2id passwords
Passwords are hashed with Argon2id (OWASP 2024 recommended parameters) plus an HMAC pepper held outside the database. Plain-text passwords are never stored, never logged, and never travel over our network after authentication.
POPIA rights honored
Access, correction, and deletion requests are answered within 30 days. Email privacy@pakstoor.co.za. See our POPIA page for the full process and your rights as a data subject.
72-hour breach notice
Under POPIA Section 22, if we reasonably believe personal information has been accessed by an unauthorised party, we notify affected users and the Information Regulator of South Africa within 72 hours of becoming aware.
Audit log
High-risk actions — payouts, listings boosts, dispute outcomes, admin overrides — are append-only audit-logged with the actor, timestamp, IP, and metadata. Used internally for fraud forensics and dispute review.
Phone OTP & two-factor
Phone-number verification is on the trust roadmap. Two-factor for sellers will follow phone OTP. We don't ask for your ID at signup — verification is opt-in and only stored long enough to verify, then deleted, in line with POPIA minimality.
What we don't have yet
A trust center that hides the gaps isn't a trust center. Here are ours.
POPIA Information Officer registered
POPIA requires every Responsible Party to register an Information Officer with the Regulator. Ours is in progress; until that's confirmed, we don't claim to be “POPIA compliant” on the homepage. Our practices align with POPIA's eight conditions; the certificate is what's outstanding.
Independent penetration test
An external security firm has not yet tested Pakstoor end-to-end. Once we cross meaningful transaction volume, this is the first audit on the list. In the meantime: we run modern dependency scanning, a strict CSP, hardened cookie flags, and rate-limited / replay-protected webhooks.
SOC 2 / ISO 27001
We are too early-stage for these to be honest claims. Adopting the controls is on the multi-year roadmap once Pakstoor reaches a scale where the audit cost is justifiable. We won't pretend otherwise.
Bug bounty programme
No paid bounty yet. We do have a security-disclosure address and we will publicly thank researchers who report responsibly. Email security@pakstoor.co.za.
Found something we missed? Pakstoor is built and reviewed by a small team. If you see a security gap, a privacy concern, or a copy claim that overstates what we actually do, we want to hear from you. Email security@pakstoor.co.za — we aim to respond within 72 hours.
Reach the right inbox
One address per concern. We monitor all of them.
Security
Suspected vulnerability, exploit, or misconfiguration. Encrypted disclosure preferred.
security@pakstoor.co.zaPrivacy
POPIA access, correction, deletion, or objection requests. Data breach concerns.
privacy@pakstoor.co.zaFraud / scam reports
A listing that smells wrong, or a counterparty acting outside the rules.
trust@pakstoor.co.zaOperational status — including TradeSafe escrow availability — is mirrored on TradeSafe's own status page at status.tradesafe.co.za. Pakstoor's own platform status appears in the system bar at the top of every page.
See also: POPIA Compliance · Privacy Policy · Terms of Service · Cookie Policy · Safety guides