Card data stays safe with us
We safeguard card data in our PCI DSS Level 1 vault: encrypted, stored only in European data centres, with every access logged. You never touch the card number—you work with tokens only.
Encrypted at rest
AES-256 in the vault
EU data centers
Card data never leaves the EU
Tracked access
Every request is logged
PCI DSS Level 1
This is the highest level of PCI compliance. It means our vault is audited every year by independent assessors, and you inherit much of that protection.
Annual audit
A qualified PCI assessor (QSA) verifies every year that we meet all requirements. The report is available to payment networks and, on request, to you as well.
Quarterly scans
Every quarter we scan internet-facing infrastructure. If we find anything to fix, we resolve it before the next scan.
Less burden for you
Because card data lives in our vault, your PCI scope shrinks. You can often complete a simpler questionnaire (SAQ A) instead of managing everything yourself.
Card data never leaves the EU
We store and process card data only within the European Union. No copies outside Europe, no non-EU cloud for vault operations.
Built for GDPR
Data processing agreements, legal bases, and documentation are already in place. You know where the data is and who manages it: us, in the EU.
Data centres in Germany and the Netherlands
Redundant infrastructure with high availability. Disaster recovery also stays within European borders.
No transfers abroad
Encryption keys, token mappings, and audit logs remain under EU jurisdiction. No risks linked to data transfers outside Europe.
What we guarantee
Encrypted at rest and in transit
Card data never travels in plain text. We encrypt it when we store it and when we move it between our systems.
AES-256 in the vault
At restEvery card number in the vault is encrypted with AES-256. Keys stay protected inside dedicated hardware (HSM). We never export them in plain text.
TLS 1.3 in transit
Secure connections onlyAPIs and payment flows use TLS 1.3. Older versions are disabled. Even if someone intercepted past traffic, they could not decrypt it.
Key rotation
No downtimeMaster keys rotate every year, as PCI DSS requires. Re-encryption runs in the background: nothing changes for you or your customers.
AES-256
Encryption at rest
TLS 1.3
Between systems
Annual
Key rotation
Keys live in an HSM
An HSM is a tamper-resistant hardware device where we generate and store encryption keys. Card numbers never leave it in plain text.
FIPS 140-2 Level 3 certified
A recognised standard for hardware security. If someone tries to physically open the device, keys are destroyed automatically.
Keys generated inside the HSM
Generation, rotation, and destruction happen only within the HSM boundary. We never store master keys on disk or in generic cloud storage.
Tamper resistance
Dedicated sensors and enclosures detect physical access attempts. If anything is abnormal, cryptographic material is wiped.
How a request flows
Anti-abuse controls
Beyond encryption and tokenization, we monitor every request. If something looks wrong, we block or flag it before it becomes a problem.
Rate limits
We detect unusual spikes in requests from the same account, IP, or API key. Configurable thresholds trigger temporary blocks and alert the security team.
Suspicious patterns
We analyse traffic to spot unusual behaviour: sequential testing, unusual volumes, geographic inconsistencies. Flagged requests are stopped according to your policy.
24/7 monitoring
Our security team watches errors, latency, and data access. If something deviates from normal, we respond within minutes.
We get tested from the outside too
We don't stop at PCI audits: regular penetration tests and third-party scans verify that the vault stays solid.
Penetration testing
Twice a year, accredited firms simulate attacks on our network and APIs. Every issue found is fixed and verified again.
Vulnerability management
Weekly internal scans across all components. Critical issues are resolved on defined timelines: the most severe within 24 hours.
SOC 2 Type II report
Every year, independent auditors verify security, availability, and confidentiality. On request under NDA, we share the report with customers.
Secure development
Every code change goes through review and automated tests. Before touching the vault, we assess risks in a structured way.
Incident response
We hope it never happens. But if there is a security event, we detect it, contain it, and keep you informed with transparency.
Always on
Real-time log and alert correlation across the entire infrastructure
First response
We classify severity and start containment within 15 minutes
We notify you
If needed, we notify within 72 hours as required by GDPR and PCI
Analysis and fixes
Post-mortem with corrective actions to prevent it from happening again
Availability: 99.95% uptime with automatic failover. A production incident is escalated to the senior team within 5 minutes.
99.95% uptimeStandards we meet
PCI DSS, ISO 27001, ISO 9001, SOC 2, GDPR, DORA, and certified hardware: not just labels, but controls verified every year.
PCI DSS L1
Highest PCI level
FIPS 140-2 L3
Certified HSM hardware
SOC 2 Type II
Verified controls
GDPR
Data in the EU only
ISO 27001
Information security
ISO 9001
Quality management
DORA
Operational resilience
Annual PCI audit
Full compliance report
Quarterly scans
External vulnerabilities
Semi-annual pen tests
Accredited third parties
Want to know how we protect your payments?
We manage the PCI vault. You integrate the API and work with tokens. Less risk, less paperwork, same payments.