PayByPocket

Governance & Control Framework

We maintain documented security policies and ensure consistent enforcement.
Access is provisioned on the least-privilege principle and subject to oversight.
Roles are defined clearly for change approvals, incident handling, and governance.

Hosting & Infrastructure

PayByPocket operates on AWS U.S. regions.
AWS data centers are certified under SOC 2, ISO 27001, and PCI DSS.
Logical separation ensures users' payment data is isolated per account.

Data Protection & Secrets

Payment data (and all user data) is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Encrypted backups are kept with redundancy across regions.
Secrets, API keys, and credentials are stored securely using vaults and are tightly controlled.

Access & Identity Management

System access is limited to necessary personnel only.
MFA is enforced for all elevated or administrative access.
Identity tools ensure roles are assigned, changed, or revoked reliably and automatically.

Monitoring, Logging & Patching

Continuous monitoring of infrastructure, systems, and transaction flows.
Audit logging is centralized for detection, investigations, and accountability.
Patching of software, dependencies, and infrastructure is part of regular maintenance.

Vendor & Third-Party Risk

Vendors and integrations are assessed for security posture and compliance.
We require vendors to adhere to security standards and contractual obligations (e.g. encryption, access limits).

Employee Security & Awareness

Employees follow confidentiality and security policies as part of their role.
Security awareness training is conducted periodically to reinforce good practices.
Company devices are secured with encryption, anti-malware, and strong configurations.

Compliance & Assurance

PayByPocket adheres to SOC 2 security criteria and aligns its practices with payments industry expectations (e.g. PCI readiness).
We pursue continuous risk assessments and aim for ongoing improvements.