Annual audit
SOC 2 Type II
Independent third-party annual audit. Five trust service criteria covering security, availability, processing integrity, privacy, and confidentiality.
Security
Security isn't a feature for us — it's the foundation.
Payminty infrastructure is audited to the same standards as the world's largest banks. SOC 2, PCI DSS, ISO 27001 — certified, for real.
Our certifications
Highest level
PCI DSS Level 1
The level for organizations processing 6+ million card transactions per year. Annual on-site assessment, quarterly network scans, annual penetration test.
Certified
ISO 27001
International gold standard for information security management systems. Risk-based approach, continuous improvement cycle.
Encryption
In transit: TLS 1.3 minimum, perfect forward secrecy. At rest: AES-256-GCM, keys rotated within HSMs (Hardware Security Modules). Messages are end-to-end encrypted — even we can't read them.
Access control
Mandatory MFA (hardware key + biometric) for all Payminty employees. Production data access is role-based, least-privilege principle. All access is written to an immutable audit log, retained 7 years.
Monitoring & incident response
24/7 Security Operations Center (SOC). Anomaly detection with machine learning models. Incident response time: 15 minutes for critical, 1 hour for high. All incidents are transparently reported on /status.
Bug bounty program
Active program on HackerOne. Critical: $25K, High: $5K, Medium: $1K, Low: $250. Disclosure: 90-day coordinated disclosure window. 200+ security researchers have contributed so far.
Responsible disclosure
Found a security vulnerability? Please notify us first and give us 90 days for public disclosure. We prefer PGP-encrypted email — the fingerprint is on the security@payminty.app page.