Start building
Security A default, not a project

Security that ships in the box.

Card data never touches your servers, every secret is encrypted with per-tenant keys, and the compliance certificates your buyer's security team will ask for are already in the trust center. You inherit the hard parts on day one.

Request the reports Trust center
PCI L1Level 1 service provider
SOC 2Type II audited
ISO 27001certified
TLS 1.3end to end
01 The pillars

What you inherit by default.

Certifications & assurance

PCI-DSS Level 1 as a service provider, SOC 2 Type II audited annually, ISO 27001 certified. Reports and our PCI AOC are available under NDA, with a bridge letter between audit windows.

SAQ-A scope for you

Encryption & key management

TLS 1.3 in transit, AES-256 at rest, and per-tenant data keys backed by an HSM. Card data is tokenised at the edge so it never reaches your application or logs.

Per-tenant keys, HSM-backed

Data residency & privacy

EU customer data stays in EU regions — Paris and Frankfurt primaries, Stockholm failover. GDPR-clean handling, row-level access logs, and a one-click export for any data subject request.

EU residency, GDPR by design

Access & identity

SAML SSO and SCIM provisioning, role-based access down to the endpoint, and four-eye approval on sensitive actions. Every production access is logged and reviewable.

SSO, SCIM & four-eye controls

Reliability

Multi-region active-active infrastructure with a 99.99% uptime target, a public status page, and disaster-recovery drills run quarterly with published RPO and RTO.

99.99% target, status published

Disclosure & testing

Independent penetration tests twice a year, a funded bug-bounty programme, and a security.txt at our root. Confirmed issues get an SLA and a public advisory when resolved.

Bounty + pentest, security.txt
02 Trust center

What we publish, before you ask.

The documents your buyer's security review needs are ready to share, not buried in a procurement queue. Request access and the package lands in your inbox the same working day.

  • SOC 2 Type II report — full report under NDA, with a bridge letter.
  • PCI AOC — Attestation of Compliance as a Level 1 provider.
  • Pen-test summary — latest independent test, executive summary.
  • DPA & sub-processors — data processing addendum and the current list.
Request the package
DOCsoc2-type-ii.pdfunder NDA
DOCpci-aoc.pdflevel 1
DOCiso-27001.pdfcertificate
DOCpentest-summary.pdfH1 2026
DOCdpa.pdfGDPR
TXT/.well-known/security.txtdisclosure
Trust

Need the full report pack?

Tell us what your security review needs and we'll send the documents the same working day. No procurement maze between you and a yes.

Request the reports Read the docs