Security as infrastructure

The platform runs across hardened multi-tenant service meshes in three independent regions (EU, US, APAC). Each region is self-sufficient: a regional outage does not propagate to others. All inter-service traffic is mutually authenticated using mTLS and signed at the application layer.

• Network segmentation by trust zone: edge, control plane, processing plane, vault, observability.
• Cardholder data flows are isolated to a hardened PCI environment with dedicated identities and key material.
• Multi-region active/active for stateless paths; durable, replicated storage with regional pinning for stateful paths.
• Configuration as code with two-person review and signed deployments; production access requires JIT approval.

• Tokenisation: PAN values are exchanged for tenant-scoped tokens; raw PAN never traverses the application plane.
• Encryption at rest with AES-256 using customer-segregated keys; rotation enforced quarterly.
• Encryption in transit with TLS 1.3 minimum, modern cipher suites only, HSTS, and certificate transparency monitoring.
• Key custody on FIPS 140-2 Level 3 HSMs; signing keys dual-controlled and rotated on schedule and on event.
• Backups encrypted, integrity-checked, periodically restored end-to-end, and geo-replicated within region.

• Mandatory SSO with hardware-key MFA (FIDO2) for all employees and contractors.
• Just-in-time, ticket-bound elevation; no standing production access for engineers.
• Per-tenant RBAC and ABAC in the dashboard, with API-key scopes, IP allowlisting and short-lived tokens.
• Quarterly access reviews; automated revocation on role change, leave or termination.

• 24/7 Security Operations Centre with follow-the-sun coverage across EU, US and APAC.
• Centralised, signed audit log with immutable cold storage for forensic and regulatory retention.
• Behavioural detection across identity, network, runtime and configuration planes.
• Synthetic transaction monitoring across critical flows with paging on regression.

Our incident response programme is documented, rehearsed quarterly, and integrated with customer notification channels. Severity 1 incidents are paged to executive leadership within 15 minutes and customers are notified per contractual commitments.

• Runbooks for top-tier scenarios: credential compromise, vendor outage, data exposure, fraud spike.
• Forensic retention with chain of custody and read-only review surfaces.
• Post-incident reviews published in a customer-facing format on the status page within 5 business days.

• Threat modelling required for new services and major changes; reviewed by a security architect.
• Static analysis, software composition analysis and secrets scanning enforced in CI; PRs blocked on high-severity findings.
• Mandatory peer review for all changes; production deployments are signed and reproducible.
• Dependency provenance via SLSA-aligned build attestations; SBOM published per release.

Every sub-processor is reviewed for security, privacy and resilience before onboarding, and continuously thereafter. Material vendors are tier-classified, contractually bound to flow-down requirements, and published in the DPA.