Security is one of the biggest considerations in everything we do. If you have any questions after reading this, or encounter any issues, please let us know.
Payment methods used on our platforms have been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we make use of best-in-class security tools and practices to maintain a high level of security.
HTTPS and HSTS for secure connections
We forces HTTPS for all services using TLS (SSL), including our public website and your My Account pages. Our platform libraries connect to multiple servers over TLS and verify TLS certificates on each connection, each time a transaction is triggered by us or by the user.
We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with our platform only over HTTPS. Our platform is also on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.
Yes, we do encrypt of sensitive data and communication.
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of our internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist.