Security

Card data stays safe with us

We safeguard card data in our PCI DSS Level 1 vault: encrypted, stored only in European data centres, with every access logged. You never touch the card number—you work with tokens only.

Certification

PCI DSS Level 1

This is the highest level of PCI compliance. It means our vault is audited every year by independent assessors, and you inherit much of that protection.

Annual audit

A qualified PCI assessor (QSA) verifies every year that we meet all requirements. The report is available to payment networks and, on request, to you as well.

Quarterly scans

Every quarter we scan internet-facing infrastructure. If we find anything to fix, we resolve it before the next scan.

Less burden for you

Because card data lives in our vault, your PCI scope shrinks. You can often complete a simpler questionnaire (SAQ A) instead of managing everything yourself.

Europe only

Card data never leaves the EU

We store and process card data only within the European Union. No copies outside Europe, no non-EU cloud for vault operations.

Built for GDPR

Data processing agreements, legal bases, and documentation are already in place. You know where the data is and who manages it: us, in the EU.

Data centres in Germany and the Netherlands

Redundant infrastructure with high availability. Disaster recovery also stays within European borders.

No transfers abroad

Encryption keys, token mappings, and audit logs remain under EU jurisdiction. No risks linked to data transfers outside Europe.

What we guarantee

Card data stored only in EU data centres
Encryption keys generated and held in the EU
GDPR Art. 28 compliant DPA available
No non-EU sub-processors for the vault
Disaster recovery within EU borders
Encryption

Encrypted at rest and in transit

Card data never travels in plain text. We encrypt it when we store it and when we move it between our systems.

01

AES-256 in the vault

At rest

Every card number in the vault is encrypted with AES-256. Keys stay protected inside dedicated hardware (HSM). We never export them in plain text.

02

TLS 1.3 in transit

Secure connections only

APIs and payment flows use TLS 1.3. Older versions are disabled. Even if someone intercepted past traffic, they could not decrypt it.

03

Key rotation

No downtime

Master keys rotate every year, as PCI DSS requires. Re-encryption runs in the background: nothing changes for you or your customers.

AES-256

Encryption at rest

TLS 1.3

Between systems

Annual

Key rotation

Dedicated hardware

Keys live in an HSM

An HSM is a tamper-resistant hardware device where we generate and store encryption keys. Card numbers never leave it in plain text.

FIPS 140-2 Level 3 certified

A recognised standard for hardware security. If someone tries to physically open the device, keys are destroyed automatically.

Keys generated inside the HSM

Generation, rotation, and destruction happen only within the HSM boundary. We never store master keys on disk or in generic cloud storage.

Tamper resistance

Dedicated sensors and enclosures detect physical access attempts. If anything is abnormal, cryptographic material is wiped.

How a request flows

Your API request (TLS 1.3)
PCI Proxy Engine Receives card data and creates the token
HSM (FIPS 140-2 L3) Generates keys and encrypts card data
Encrypted vault (AES-256) Card number encrypted, keys in HSM only
Active protection

Anti-abuse controls

Beyond encryption and tokenization, we monitor every request. If something looks wrong, we block or flag it before it becomes a problem.

Rate limits

We detect unusual spikes in requests from the same account, IP, or API key. Configurable thresholds trigger temporary blocks and alert the security team.

Suspicious patterns

We analyse traffic to spot unusual behaviour: sequential testing, unusual volumes, geographic inconsistencies. Flagged requests are stopped according to your policy.

24/7 monitoring

Our security team watches errors, latency, and data access. If something deviates from normal, we respond within minutes.

External testing

We get tested from the outside too

We don't stop at PCI audits: regular penetration tests and third-party scans verify that the vault stays solid.

01

Penetration testing

Twice a year, accredited firms simulate attacks on our network and APIs. Every issue found is fixed and verified again.

02

Vulnerability management

Weekly internal scans across all components. Critical issues are resolved on defined timelines: the most severe within 24 hours.

03

SOC 2 Type II report

Every year, independent auditors verify security, availability, and confidentiality. On request under NDA, we share the report with customers.

04

Secure development

Every code change goes through review and automated tests. Before touching the vault, we assess risks in a structured way.

If something happens

Incident response

We hope it never happens. But if there is a security event, we detect it, contain it, and keep you informed with transparency.

24/7
Monitoring

Always on

Real-time log and alert correlation across the entire infrastructure

<15m
Detection

First response

We classify severity and start containment within 15 minutes

<72h
Communication

We notify you

If needed, we notify within 72 hours as required by GDPR and PCI

After
Improvement

Analysis and fixes

Post-mortem with corrective actions to prevent it from happening again

Availability: 99.95% uptime with automatic failover. A production incident is escalated to the senior team within 5 minutes.

99.95% uptime
Certifications

Standards we meet

PCI DSS, ISO 27001, ISO 9001, SOC 2, GDPR, DORA, and certified hardware: not just labels, but controls verified every year.

PCI DSS L1

Highest PCI level

FIPS 140-2 L3

Certified HSM hardware

SOC 2 Type II

Verified controls

GDPR

Data in the EU only

ISO 27001

Information security

ISO 9001

Quality management

DORA

Operational resilience

Annual PCI audit

Full compliance report

Quarterly scans

External vulnerabilities

Semi-annual pen tests

Accredited third parties

Want to know how we protect your payments?

We manage the PCI vault. You integrate the API and work with tokens. Less risk, less paperwork, same payments.