We process over $8 billion a year. That works because we take security more seriously than any other line in our company charter.
Third-party certifications that matter — renewed every year with independent auditors.
The highest level of Payment Card Industry Data Security Standard compliance. Audited annually by a Qualified Security Assessor. Zero cardholder data ever touches merchant servers.
Continuous, independently audited controls over security, availability, confidentiality, processing integrity and privacy. Reports available under NDA to Enterprise customers.
ISO 27001:2022 certified for information security management systems. Our ISMS covers every employee, process and system that touches customer data.
Compliant with EU General Data Protection Regulation and California Consumer Privacy Act. DPAs, SCCs, and Data Subject Rights tooling built-in.
BAAs available for healthcare and wellness merchants handling PHI. Built on HIPAA-compliant infrastructure with end-to-end controls.
Cloud Security Alliance STAR Level 2 attestation. Our cloud security posture is continuously monitored and externally verified.
Layered controls at every level — from physical infrastructure up to the application layer.
Every byte of customer data is encrypted at rest and in transit, with modern algorithms and hardware-backed key management.
We try to break our own software before anyone else does. Then we pay other people to try again.
In-house red team runs weekly adversarial exercises. Findings tracked as P0 regardless of source.
Independent penetration tests every 6 months by two different top-tier firms. Reports available to Enterprise customers.
Rewards up to $50,000 for critical vulnerabilities. Runs continuously via HackerOne with 300+ researchers.
SAST, DAST, SCA and IaC scanners run on every commit. Critical findings block merges.
In-house security operations center monitors every production system around the clock. Average alert-to-action time: 90 seconds.
Every employee completes annual security training. Background checks on all US hires. Hardware keys required for all infrastructure access.
SOC 2 reports, penetration test summaries, architecture diagrams, DPAs — available under NDA to Enterprise customers. Our security team is one click away.