Security & Compliance

At PayMatch, security and data protection are at the core of everything we do. We implement industry-leading security measures to protect your business data, customer information, and financial records.

Data Encryption

Encryption in Transit

  • TLS 1.2+ encryption for all data transmission
  • HTTPS enforced across all platform connections
  • Certificate pinning for mobile applications
  • Perfect Forward Secrecy (PFS) enabled

Encryption at Rest

  • AES-256 encryption for database storage
  • Encrypted file storage for invoices and documents
  • Encrypted database backups
  • Secure key management with rotation policies

Sensitive Data Protection

  • Bank connection tokens encrypted with AES-256
  • Password hashing with bcrypt (cost factor 12)
  • Payment card data never stored (PCI-DSS via Stripe)
  • Tokenization for sensitive identifiers

Access Control & Authentication

User Authentication

  • Multi-factor authentication (MFA) support
  • OAuth 2.0 for bank connections (no credential storage)
  • Strong password requirements enforced
  • Session timeout and automatic logout
  • Account lockout after failed login attempts
  • Email verification for account creation

Role-Based Access Control (RBAC)

  • Granular permission system for team members
  • Principle of least privilege enforced
  • Owner, Admin, and User roles
  • Audit logs for access and permission changes

API Security

  • API key authentication with rotation capability
  • Rate limiting to prevent abuse
  • IP whitelisting available for enterprise customers
  • Client certificate authentication for bLink integration

Infrastructure Security

Hosting & Data Centers

  • Primary data location: Central Europe (Zurich, Switzerland)
  • Hosting providers: AWS, Vercel, Supabase
  • Certifications: ISO 27001, SOC 2 Type II
  • Physical security: 24/7 monitored data centers
  • Redundancy: Multi-region backup and failover

Network Security

  • DDoS protection and mitigation
  • Web Application Firewall (WAF)
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Network segmentation and isolation
  • VPC (Virtual Private Cloud) architecture

Backup & Disaster Recovery

  • Automated daily backups with 30-day retention
  • Encrypted backup storage in geographically distributed locations
  • Point-in-time recovery capability
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours
  • Regular disaster recovery testing

Monitoring & Incident Response

Security Monitoring

  • 24/7 automated security monitoring
  • Real-time threat detection and alerting
  • Anomaly detection using machine learning
  • Comprehensive activity logging and audit trails
  • Security Information and Event Management (SIEM)

Vulnerability Management

  • Automated vulnerability scanning
  • Regular penetration testing by third-party experts
  • Bug bounty program for responsible disclosure
  • Rapid security patch deployment
  • Dependency scanning for open-source components

Incident Response

  • Documented incident response plan
  • Dedicated security incident response team
  • Data breach notification within 72 hours (GDPR/DSG compliant)
  • Post-incident analysis and remediation
  • Communication protocols for affected customers

Bank Connection Security (bLink)

For customers using the optional bank connection feature via bLink (SIX Group AG), we implement additional security measures:

Banking-Grade Security

  • OAuth 2.0 authentication: We never see or store your banking credentials
  • Client certificate authentication: Mutual TLS for bLink API communication
  • Access token encryption: AES-256 encryption with secure key management
  • Automatic token rotation: Regular token refresh and expiration
  • Read-only access: Cannot initiate payments or modify account data
  • Strong Customer Authentication (SCA): PSD2-compliant authentication
  • Consent management: 90-day expiration with re-authentication

Third-Party Security

bLink (operated by SIX Group AG, Switzerland) is:

  • Regulated Account Information Service Provider
  • Compliant with Swiss banking secrecy laws
  • Subject to Swiss Financial Market Supervisory Authority (FINMA) oversight
  • ISO 27001 certified
  • PSD2 compliant (for EU banks)

Compliance & Certifications

Data Protection Laws

  • GDPR (General Data Protection Regulation) - EU
  • Swiss DSG (Federal Act on Data Protection)
  • Standard Contractual Clauses for international data transfers

Security Standards

  • ISO 27001 - Information Security Management (via infrastructure providers)
  • SOC 2 Type II - Security, Availability, Confidentiality
  • PCI-DSS - Payment Card Industry Data Security (via Stripe)

Industry Best Practices

  • OWASP Top 10 security guidelines
  • NIST Cybersecurity Framework
  • CIS Controls for effective cyber defense

Organizational Security

Employee Security

  • Background checks for employees with data access
  • Mandatory confidentiality and security agreements
  • Regular security awareness training and phishing simulations
  • Strict access controls based on job responsibilities
  • Immediate access revocation upon termination

Secure Development Lifecycle

  • Security-by-design principles in development
  • Code review process with security focus
  • Automated security testing in CI/CD pipeline
  • Dependency vulnerability scanning
  • Separate development, staging, and production environments

Vendor Management

  • Security assessment of all third-party vendors
  • Data Processing Agreements with sub-processors
  • Regular vendor security reviews
  • Compliance verification and audit rights

Your Responsibilities

While we implement comprehensive security measures, security is a shared responsibility. We recommend that you:

  • Use strong, unique passwords for your PayMatch account
  • Enable multi-factor authentication (MFA)
  • Keep your account credentials confidential
  • Report any suspicious activity immediately
  • Regularly review connected bank accounts and access logs
  • Keep your browser and devices up to date
  • Be cautious of phishing attempts

Security Audits & Testing

  • Third-party penetration testing: Annually by certified security professionals
  • Vulnerability assessments: Quarterly automated scans
  • Internal security audits: Ongoing
  • Disaster recovery testing: Bi-annually
  • Compliance audits: As required by regulations

Report a Security Issue

If you discover a security vulnerability or have security concerns, please report them responsibly:

Security Contact

Email: security@paymatch.app

We take all security reports seriously and will respond within 48 hours. We appreciate responsible disclosure and will work with you to address any issues promptly.

Last Updated: November 2024
This security documentation is for informational purposes. For contractual security obligations, please refer to our Data Processing Agreement and Privacy Policy. Data Processing Agreement and Privacy Policy.

Last updated: December 10, 2025

TermsPrivacyLegalDPASecurityCookies

We use cookies

We use cookies to enhance your browsing experience and analyze our services. Learn more