Security

Built with the assumption that your auditor will read every line.

AI Payment Guard is a financial control plane. The bar is higher than for a generic SaaS, and we treat it that way. Below: what we do today, what we're working on, and how to report a problem.

Authentication

bcrypt-hashed passwords (cost factor 10), 10-character minimum with letter + digit
TOTP-based 2FA available for every account, with single-use recovery codes
Strict session-cookie policy (HttpOnly, SameSite=Lax, Secure in production)
Forced re-authentication when the active organization no longer exists

Access control

Multi-tenant isolation enforced on every database query (organizationId filter)
RBAC with four roles: Owner, Admin, Approver, Viewer
Separation of duties: agents submit, humans approve — never the same identity
Least-privilege: each agent has its own bearer token, scoped per organization

Audit trail

Append-only audit_events table — UPDATE and DELETE blocked at the database level
Per-organization sha-256 hash chain — tampering surfaces immediately on verification
Every decision, approval, role change and webhook delivery is recorded
Self-serve chain integrity verification endpoint

Data integrity

Idempotency-Key required on every mutation; duplicate submissions return the original decision
Serializable database transactions for cap-checks + intent creation
HMAC-SHA256 signed webhooks with replay-protection timestamps
Constant-time signature verification in the official SDK

Network & infrastructure

TLS 1.2+ everywhere; HSTS preloaded
EU-hosted by default (OVHcloud / Scaleway)
Per-environment isolation between sandbox and production (Enterprise)
Daily encrypted backups with point-in-time recovery on paid plans

Operational practices

All production access via short-lived MFA-protected sessions
Mandatory code review and CI on every change (typecheck, tests, linter)
Automated dependency vulnerability scanning
Annual third-party penetration test (Enterprise customers receive the report)

Compliance

GDPR

Compliant

EU-hosted by default. Standard Contractual Clauses for any non-EU sub-processor. Customer-facing DPA available.

SOC 2 Type 2

In progress

Audit observation period started Q1 2026. Target attestation: Q4 2026.

ISO 27001

Roadmap

Targeted for 2027 alongside our Enterprise plan rollout.

PCI DSS

N/A

We never process or store cardholder data. Card payments live in your underlying rail (Stripe, etc.).

HIPAA

Out of scope

Healthcare-specific PHI is not currently supported. Contact us for industry-specific deployments.

Data residency

Customer data resides in the EU by default. Other regions available on Enterprise plans.

Reporting a vulnerability

We welcome reports from security researchers. If you believe you've found a vulnerability, please email security@payment-guard.example with reproduction details. We aim to acknowledge within 24 hours and provide a fix timeline within 5 business days.

Please do not test on customer accounts other than your own.
Do not exfiltrate any data beyond what is needed to demonstrate the issue.
Give us a reasonable window to fix before public disclosure (typically 90 days).

We acknowledge contributors publicly (with their consent) on our security disclosures page once an issue is resolved.

Need our SOC 2 progress letter, the latest pentest summary, or a signed DPA?

Request our security packet →