Security
Protecting the decision trust layer
Compliance
- SOC 2 Type II — assessment in progress
- OWASP Top 10 — compliant
- GDPR — Data Processing Addendum available for EU/EEA customers
- CCPA — compliant
Encryption
- All data encrypted in transit using TLS 1.2 or higher
- All sensitive data encrypted at rest using AES-256
- API keys are hashed before storage and never stored in plaintext
- Authorization logs are encrypted with field-level encryption for sensitive attributes
Access controls
- Scoped API keys with granular permissions
- IP allowlisting per API key
- API key rotation with configurable grace period
- MFA-protected dashboard access
- Role-based access control for multi-tenant operations
Data handling
- Customer Data remains the property of the customer at all times
- No primary account numbers (PANs) are stored — all card data is tokenized
- Authorization logs retained per service tier (details in SLA)
- Data export available upon request and for 60 days post-termination
- SAR/STR export capability for regulatory compliance
Responsible disclosure
We welcome reports from security researchers.
Contact: [email protected]
We investigate all valid reports within 72 hours.
We will not take legal action against researchers who act in good faith.
Please allow us reasonable time to address issues before public disclosure.
Questions
For compliance documentation, audit reports, or security questionnaires: [email protected]
For data processing agreements: [email protected]