1. Encryption
All customer data is encrypted in transit using TLS 1.2 or higher and at rest using industry-standard algorithms. Cardholder data is tokenised and never stored on our application servers.
2. Access controls
Access to production systems is limited to a small group of engineers, granted on a least-privilege basis, and requires hardware-backed multi-factor authentication. All access is logged and reviewed.
3. Testing and assurance
Independent security firms perform annual penetration tests and continuous vulnerability assessments. We also operate a bug bounty programme — see our responsible disclosure policy.
4. Incident response
Our incident response plan covers detection, containment, eradication, recovery, and post-incident review. Where an incident affects customer data we notify affected users and regulators within the timeframes required by law.
5. Certifications
We maintain certifications appropriate to our services, including SOC 2 Type II and ISO/IEC 27001. The current scope and validity of each certification is published in our trust centre.