Security at Payzora

Your data security and privacy are our top priorities. We implement bank-level security measures to protect your information.

🔒
256-bit SSL
Bank-level encryption
GDPR Compliant
EU data protection
🛡️
2FA Enabled
Two-factor authentication
99.9% Uptime
Reliable infrastructure

How We Protect Your Data

Data Encryption (256-bit SSL/TLS)

All data transmitted between your browser and our servers is encrypted using industry-standard 256-bit SSL/TLS encryption the same level of security used by banks.

  • In Transit: HTTPS everywhere, TLS 1.3 protocol
  • At Rest: All sensitive data encrypted in our database
  • Passwords: Hashed using bcrypt with salt (never stored in plain text)

Secure Authentication & 2FA

We use industry-leading authentication practices to ensure only you can access your account.

  • NextAuth.js: Secure session management with HTTP-only cookies
  • Two-Factor Authentication (2FA): Optional TOTP-based 2FA (Google Authenticator, Authy)
  • Password Requirements: Minimum 8 characters, complexity enforced
  • Session Management: Automatic logout after inactivity

Database Security (Row-Level Security)

Our database is protected with multiple layers of security to prevent unauthorized access.

  • Row-Level Security (RLS): Users can only access their own data
  • Supabase PostgreSQL: Enterprise-grade database with automatic backups
  • API Authentication: All API requests require valid authentication tokens
  • Data Isolation: Multi-tenant architecture with strict data separation

Secure Infrastructure

Payzora is hosted on secure, enterprise-grade infrastructure with 99.9% uptime.

  • Vercel: Edge network with automatic SSL, DDoS protection
  • Supabase: SOC 2 Type II certified hosting
  • Automatic Backups: Daily backups with point-in-time recovery
  • Monitoring: 24/7 system monitoring and alerting

Payment Security

We partner with industry-leading payment processors to ensure secure transactions.

  • NOWPayments: Secure crypto payment processing (PCI DSS compliant)
  • Stripe: PCI Level 1 certified for fiat payments
  • No Stored Payment Data: We never store credit card numbers or private keys
  • Webhook Verification: All payment callbacks are cryptographically verified

Strict Access Controls

We limit access to your data and follow the principle of least privilege.

  • Limited Employee Access: Only authorized personnel can access production data
  • Audit Logs: All data access is logged and monitored
  • Role-Based Access: Team permissions based on roles (Pro/Business plans)
  • API Key Management: Secure API keys with rate limiting and expiration

What We DON'T Do (Privacy Commitments)

Your trust is paramount. Here's what we will NEVER do:

We NEVER sell your data

Your data is yours. We will never sell, rent, or share your personal information with advertisers or third parties for marketing purposes.

We NEVER access your private keys

We never ask for or store your cryptocurrency private keys. Your wallet, your keys, your crypto.

We NEVER track you across the web

No invasive tracking pixels, no selling browsing data. We only use analytics to improve Payzora itself.

We NEVER read your invoices

Your invoices are private. We don't read, analyze, or use your invoice content for any purpose other than displaying it to you.

We NEVER share data without consent

Except when required by law, we will never share your data with anyone without your explicit permission.

We NEVER store passwords in plain text

All passwords are hashed using bcrypt with salt. Even we can't see your password that's by design.

Compliance & Certifications

GDPR Compliant

We comply with the EU General Data Protection Regulation (GDPR), giving you full control over your personal data. You have the right to access, rectify, erase, and export your data at any time.

SOC 2 (In Progress)

We're working towards SOC 2 Type II certification, which demonstrates our commitment to security, availability, processing integrity, confidentiality, and privacy.

PCI DSS (via Partners)

Our payment partners (Stripe, NOWPayments) are PCI DSS Level 1 certified. We never handle or store credit card data directly.

AML Monitoring

We monitor for suspicious activity and comply with Anti-Money Laundering (AML) regulations, reporting large or suspicious transactions as required by law.

Security Audits & Testing

Regular Security Audits

We conduct regular security audits to identify and fix vulnerabilities before they become problems.

  • Code reviews for all production changes
  • Automated security scanning (Snyk, Dependabot)
  • Manual penetration testing (quarterly)
  • Third-party security audits (annually)

Last Security Audit

January 2026

Comprehensive security review conducted

✅ No critical vulnerabilities found

Next scheduled audit: April 2026

Responsible Security Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly so we can fix it quickly.

How to Report a Security Vulnerability

  1. Email us at: security@payzora.io
  2. Include detailed information: vulnerability description, steps to reproduce, potential impact
  3. Give us reasonable time to fix the issue before public disclosure (typically 90 days)
  4. We'll acknowledge your report within 24 hours
  5. We'll keep you updated on our progress fixing the issue

✅ Please DO

  • • Report the vulnerability privately first
  • • Give us time to fix it before going public
  • • Provide detailed reproduction steps
  • • Test on non-production systems if possible

❌ Please DON'T

  • • Publicly disclose before we've fixed it
  • • Exploit the vulnerability for personal gain
  • • Access or modify other users' data
  • • Perform DoS/DDoS attacks

Bug Bounty Program (Coming Soon): We're working on a formal bug bounty program to reward security researchers who help keep Payzora secure.

Security Best Practices for Users

Security is a shared responsibility. Here's how you can protect your Payzora account:

1. Use a Strong Password

Use at least 12 characters with a mix of letters, numbers, and symbols. Never reuse passwords from other sites. Consider using a password manager.

2. Enable Two-Factor Authentication

Turn on 2FA in Settings → Security. Use an authenticator app (Google Authenticator, Authy) for maximum security.

3. Watch Out for Phishing

Payzora will never ask for your password via email. Always verify the URL is payzora.io before logging in. Be cautious of suspicious emails.

4. Keep Your Email Secure

Your email is the key to your account. Use a strong password and 2FA on your email account too.

5. Log Out on Shared Devices

Always log out of Payzora when using public or shared computers. Never save your password in browsers on shared devices.

6. Review Account Activity

Regularly check your account activity for any suspicious logins or actions. Report anything unusual immediately.

Questions About Security?

Our security team is here to help. If you have questions about how we protect your data or want to report a security concern, please reach out.

Report Security IssueView Privacy Policy

Security Contact: security@payzora.io

Response Time: We respond to security reports within 24 hours