Certifications
FalconPay maintains the certifications required of a Tier-1 payment processor, independently audited on an annual cadence:
PCI DSS Level 1
Highest merchant/processor certification for cardholder data environments.
SOC 2 Type II
Trust Services Criteria — Security, Availability, Confidentiality.
ISO 27001
Information Security Management System, independently registered.
AML Aligned
FATF-aligned AML/CFT programme with external annual review.
GDPR Ready
Data protection controls aligned with GDPR and analogous regimes.
FCA Registered
Registered status maintained where we operate under FCA oversight.
Attestation letters, SOC 2 reports, and PCI AoC are available under NDA through [email protected].
Defence-in-Depth
Our security model assumes that no single control is sufficient — layered protections reduce the blast radius of any single compromise.
- AES-256 at rest — all sensitive data stored encrypted, with key management in hardware-backed keystores.
- TLS 1.3 in transit — all API traffic, dashboard traffic, and internal service-to-service traffic.
- MFA mandatory on all administrative access; strong MFA (hardware keys or authenticator apps) required for privileged roles.
- Segregated environments — production, staging, and development are fully isolated with separate credential domains.
- Least-privilege access with time-bound elevation for sensitive operations and full audit logging.
API Security
Every API request is authenticated via HMAC-SHA512 with timestamp validation to prevent replay attacks. Rate limiting is applied per-merchant and per-endpoint. Unexpected payload patterns trigger automated review. Documentation and best practices are in the API reference.
24/7 Security Operations
A 24/7 security operations centre monitors for anomalous activity, credential abuse, and infrastructure events. Incident response is governed by a documented playbook with a sub-15-minute response SLA for critical events and standing bridge rooms for major incidents. We commit to notifying affected merchants promptly — both as a matter of trust and as required by applicable law.
Vulnerability Management
Production systems are subject to continuous vulnerability scanning, quarterly external penetration testing, and an invitation-based bug bounty programme. Critical vulnerabilities are triaged within 24 hours; time-to-remediation depends on severity but is tracked publicly within our engineering organisation.
Business Continuity
Critical infrastructure runs in multi-region active/active configuration with automated failover. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets are defined per service and tested on a recurring schedule. Our 99.98% uptime SLA reflects these controls.
Responsible Disclosure
Security researchers who discover a vulnerability in our infrastructure are asked to report it via [email protected]. We acknowledge receipt within 24 hours and coordinate disclosure in good faith. Researchers who follow responsible disclosure guidelines receive public acknowledgement and, where applicable, a reward per our bug bounty programme.
Security queries and disclosures: [email protected]