Skip to content

Simpaisa Group — Investment Readiness Assessment

Owner Classification Review Date Status
CDO Office Confidential April 2027 Active

Prepared by: Office of the CDO
Date: 8 April 2026
Classification: Confidential — Internal Use Only

Executive Summary

Simpaisa is a $1B+ TPV frontier markets payment aggregator with tier-1 merchant relationships (Google, Tencent, Spotify, ByteDance), strong regulatory credentials, and an aggressive multi-market expansion roadmap across South Asia, MENA, and Central Asia. The data room is mature in governance, compliance, and corporate structure.

The critical gaps that will generate friction in a Series A/B or strategic investment process are concentrated in three areas: quantified financial performance (2023-2025 figures absent), technical scalability evidence , and forward-looking business metrics. Investors will want to see the machine, not just the licence to operate it.

This document sets out the specific actions required from Product, Technology, Data, and Security to bring the data room to investment-grade standard.

Overall Investment Readiness: Functional Assessment

Function Current Status Investment Readiness
Corporate & Legal Comprehensive Strong
Compliance & Regulatory Well documented Strong
HR & Governance Adequate Needs minor updates
Product Capabilities listed, strategy thin Material gaps
Technology Stack documented, architecture absent Material gaps
Data & Finance 2022 financials only; no metrics Critical gap
Security Certified, evidence thin Needs strengthening

1. Product

Gaps Investors Will Flag

  • The product roadmap exists but lacks quantified KPIs, milestone ownership, or timeline granularity. It reads as a capabilities list, not a product strategy.

  • No evidence of merchant onboarding velocity , activation rates, or time-to-first-transaction metrics.

  • White-label wallets and crypto off-ramping are listed as "ready" but there is no go-to-market documentation, pricing model, or pilot data.

  • No competitive positioning document — investors will benchmark against dLocal, Thunes, and local aggregators independently; Simpaisa should control that narrative.

Recommendations

  1. Rewrite the roadmap as a strategic artefact: 3 horizons (0-6 months, 6-18 months, 18-36 months), each with revenue impact estimates, resource requirements, and market dependencies. Tie each initiative back to the expansion markets (Saudi Arabia, Central Asia, Egypt).

  2. Build a product metrics pack : merchant cohort retention, GMV per merchant, new method adoption rates, checkout conversion by market. Directional trends showing growth are sufficient at this stage.

  3. Document the crypto product properly : Binance partnership letter, USDT to PKR flow diagram, regulatory posture per jurisdiction, revenue model. This is a differentiator currently undersold in the data room.

  4. Commission a competitive analysis — position Simpaisa against dLocal, Nuvei, Boku, and regional players. Frame the moat: regulatory depth, South Asia coverage, remittance + acquiring convergence.

  5. Create a merchant case study pack : 2-3 anonymised case studies showing onboarding timeline, volume growth, and problem solved. Google and Tencent are name-drops; investors want evidence of stickiness.

2. Technology

Gaps Investors Will Flag

  • No system architecture diagram for the core payment gateway is visible in the data room. Investors in fintech always want to see the plumbing.

  • The tech stack list is comprehensive but there is no evidence of scalability under load — no benchmarks, SLAs, or uptime figures.

  • The Acting CTO designation will raise governance questions. Investors expect a permanent, named CTO.

  • No API documentation or developer portal reference — critical for a company whose core proposition is a "single API integration."

  • No evidence of technical debt position, code quality metrics, or engineering team capacity.

Recommendations

  1. Produce a one-page architecture overview : data flows, key components (gateway engine, Kafka queuing, settlement layer), geography deployment model. This does not need to be a full technical spec — sufficient to show a coherent, scalable design.

  2. Document uptime and reliability : pull 12 months of availability data from CloudWatch/Datadog. Present as a table by market. 99.9%+ uptime with tier-1 merchants is a strong signal.

  3. Resolve the CTO vacancy or reframe it : if Saqlain Raza is the permanent appointment, formalise it and update all materials. If a search is underway, disclose proactively with a timeline.

  4. Create an API capability document : summarise the developer integration experience, SDK availability, sandbox environment, and time-to-integrate benchmarks from existing merchants.

  5. Prepare a technical due diligence brief : infrastructure costs per transaction, cloud spend as % of revenue, key vendor dependencies (AWS concentration risk), and disaster recovery posture. Technical diligence teams will ask all of this — get ahead of it.

  6. Document the proprietary gateway engine as an asset : what is built in-house vs. third-party, what is the competitive moat, what would it cost a competitor to replicate.

3. Security

Gaps Investors Will Flag

  • ISO 27001 and PCI-DSS certificates are present — good baseline coverage.

  • No evidence of penetration test results , no remediation status, and no security incident history (even a "nil material incidents" declaration would be useful).

  • No documented BCP/DR test results — plans exist but no evidence of testing.

  • No third-party vendor risk management documentation for critical providers (Eastnets, Datadog, AWS).

  • No data map — where customer/merchant PII is stored, processed, and transferred across jurisdictions. This is increasingly a Day 1 diligence item.

  • For a company operating across Pakistan, Bangladesh, Nepal, UAE, Canada, and Iraq simultaneously, investors will expect jurisdiction-specific data residency documentation.

Recommendations

  1. Commission and complete an independent penetration test if not done in the last 12 months. Include an executive summary of findings and remediation closure evidence in the data room. Offer the full technical report under NDA only.

  2. Write a security posture statement for investors : a 2-page document summarising certifications held, last test dates, material incidents (or nil declaration), and the CISO's forward programme. Standard requirement in Series B+ diligence.

  3. Produce a data map : merchant data flows across jurisdictions, PII storage locations, cross-border transfer mechanisms, and regulatory basis for each transfer.

  4. Document BCP/DR test results : even a tabletop exercise completion note with date and outcome is acceptable. Investors want evidence the plan has been exercised, not just written.

  5. Produce a vendor risk register summary : list critical third-party dependencies with their own compliance certifications (AWS SOC 2, Eastnets certifications). This demonstrates supply chain risk maturity.

  6. Prepare jurisdiction-specific compliance notes : for each operating entity, a one-pager on applicable data protection law, current compliance status, and any open regulatory items. Bangladesh DPDPA, Pakistan PDPA, UAE PDPA, and Canada PIPEDA all differ materially.

Prioritised Action Plan

# Action Function Priority Investor Impact
1 System architecture overview (one page) Technology Critical Removes technical credibility risk
2 Pen test summary + security posture statement Security Critical Standard diligence requirement
3 Product roadmap rewrite with KPIs and horizons Product High Validates growth thesis
4 CTO appointment formalisation Technology + CEO High Governance signal for investors
5 Data map + jurisdiction-specific compliance notes Security + Legal High Legal diligence requirement
6 Crypto product documentation (Binance JV, flow, revenue) Product High Differentiator currently buried
7 Competitive analysis and positioning document Product Medium Controls investor narrative
8 Merchant case study pack (2-3 anonymised) Product Medium Demonstrates merchant stickiness
9 API capability document Technology Medium Supports single-API proposition
10 BCP/DR test evidence Security Medium Operational resilience signal
11 Technical due diligence brief (infra costs, vendor risk) Technology Medium Pre-empts diligence questions
12 Vendor risk register Security Medium Supply chain risk maturity

Key Strengths to Amplify

The following should be more prominently positioned in investor-facing materials:

  • Crypto rail readiness : USDT to PKR live and tested, Binance partnership secured. First-mover in a high-demand corridor.

  • Multi-product convergence : acquiring + payouts + remittances on a single platform is a structural advantage against single-product competitors.

Notes on Data Room Presentation

  • Version and date-stamp all documents. Several documents in the current data room are undated, which creates ambiguity during diligence.

  • Add a document summary index to each section folder (one paragraph per document explaining what it contains and why it is included).

  • Separate "current state" from "in progress" — the data room currently mixes live licences with applications in progress. Investors need to clearly distinguish what is operational today vs. planned.

  • Restrict access logging : ensure the VDR platform is tracking investor access by document. This provides visibility on what investors are spending time on and signals engagement.

End of report. For queries contact the Office of the CDO.