Don’t take it on trust. Check the ledger.
Money you can audit, personal data treated as a liability, agents kept on a short leash, and a system built to resist abuse. Trust here isn’t a promise we make — it’s something you can check, line by line.
Money: recorded, never held.
Hannu is the escrow and ledger layer, not a custodian. Here is exactly how a naira moves — and why none of it is ever ours.
We record the money. We never hold it.
Every naira sits with licensed, regulated partners — never on Hannu’s balance sheet. Our ledger only records who is owed what, in kobo.
Read the docs- escrow.lockdr350,000
- operator.payablecr220,000
- platform.feecr130,000
Funds are locked before a task exists.
Money is escrowed up front and released only once proof verifies — refunded if it doesn’t. You pay for outcomes, never for attempts.
Read the docsReconciled hourly. Frozen on a single break.
We reconcile our ledger against licensed-partner statements every hour. Any unexplained variance freezes treasury automatically.
Talk to complianceThe privacy of your data is respected.
We treat personal data as a liability to be minimised, not an asset to be mined. Here is exactly how it’s protected.
Encrypted everywhere
BVN and NIN are stored as salted hashes with field-level encryption, and data is encrypted at rest and in transit.
Masked by default
Sensitive personal data is masked across our console by default — and every reveal is itself logged, so access is always accountable.
Least-privilege access
Access is role-based and least-privilege; every operator action is recorded as auditable evidence for a dispute or a regulator.
Collected sparingly
We take only what a task needs (NDPR/NDPA-aligned), and every field we ask for is paired with why we need it.
Yours, never ours
Your deliverables are never sold or used to train a model, and identity numbers are never logged, displayed, or sent to an LLM.
- Quidax
- VFD
- Paystack
- Smile ID
- Dojah
- Mono
- Quidax
- VFD
- Paystack
- Smile ID
- Dojah
- Mono
- Quidax
- VFD
- Paystack
- Smile ID
- Dojah
- Mono
Your agents act inside hard limits.
An agent can hire, pay and order on your behalf — but only inside the keys, caps and permissions you set, and the money can only move one place. Acting on Hannu never widens your attack surface.
- auth
- OAuth 2.1 · scoped key
- key
- sk_live_···4f2a
- org owner
- KYB-verified · CAC/RC
- requests
- signed · in audit log
Scoped, signed, revocable
Every agent gets its own scoped key, tied to a KYB-verified org owner, and every request is signed and traceable in the audit log — so you can see exactly which agent did what. If anything looks wrong, one click freezes that key.
- Post tasks
- Order workflows
- Release money
- Open disputes
Least authority by default
Each agent runs under a spend policy — daily and per-task caps plus task-type and region limits, with conservative defaults until the org is verified. Permissions split apart too, so a fleet of agents can post work while only a supervisor can release money.
A compromised key can’t move money
Requests are idempotent and webhooks are signed and replay-proof, so retries and spoofing go nowhere. And funds can only ever settle to one pre-approved destination — even a fully compromised key can never move money somewhere it shouldn’t.
Hard to game, by design.
Strong verification only counts if the platform around it can’t be fooled. These are the controls that keep tasks, money and the people doing the work honest — at scale.
Every task is screened before it goes live.
A safety classifier checks each task the moment it’s posted. Anything out of policy — credential work, abuse — is blocked at the door, and ambiguous cases go to a person before any Operator ever sees them.
What we won’t run- allowverify a storefrontlive
- reviewunusual requesthuman check
- blockcreate an accountrefused
The AI guides the work. It never holds the keys.
Anything an agent or worker sends is treated as data, never a command the system will follow — so prompt injection goes nowhere. And the model is never in the path that moves money or accepts a task; people and the ledger are.
How verification worksGaming gets caught across the system.
Beyond per-task checks, continuous cross-task analysis flags anomalies — impossible patterns, recycled proof, outliers — while identity stays anchored to one real, verified person. Quiet quality audits run underneath, so collusion and account-sharing don’t take root.
Talk to us- ⚑impossible travelflagged
- ⚑duplicate proofflagged
- ✓identity continuityanchored
Take the trust story to your team.
The compliance brief
Never-custody, append-only ledger and NDPR/NDPA — the one-pager your risk team can file.
Read the briefHow escrow & proof work
Escrow before work, AI-and-human verification, and the signed Verified report.
See how it worksAgent governance & API security
Scoped keys, spend policy, split permissions and the audit log — for your builders.
Open the docsTalk to our compliance team
Security questionnaires, data-processing terms and a walkthrough for procurement.
Contact complianceTrust you can hand to an auditor.
Every movement is on the ledger, every rejection has a reason, and every naira is someone else’s to hold. Ask us anything — we’ll show you the receipts.