Security at Crosspay

Last Updated: January 12, 2026

Our Commitment to Trust

At Crosspay, we understand that we are critical infrastructure. When you integrate our SDK, you are trusting us with your revenue stream and your user relationships. Security is not a feature we add on; it is the foundation of our architecture.

This document outlines the technical and organizational measures we implement to protect your data.

1. Cloud Infrastructure

Crosspay does not maintain physical servers. Our infrastructure is hosted entirely on Amazon Web Services (AWS), primarily in the us-east-1 (N. Virginia) region.

  • Physical Security: We rely on AWS's industry-leading physical security controls (biometric access, 24/7 surveillance, redundant power).
  • Network Segregation: Our production environment is isolated within a Virtual Private Cloud (VPC). We utilize public and private subnets; databases and internal services are not accessible from the public internet.
  • DDoS Protection: We utilize AWS Shield and CloudFront to mitigate Distributed Denial of Service (DDoS) attacks at the edge.

2. Data Encryption

We encrypt data at every stage of its lifecycle.

  • Encryption in Transit: All data transmitted between the Crosspay SDK, our Dashboard, and our API is encrypted using TLS 1.3 (Transport Layer Security). We enforce HSTS (HTTP Strict Transport Security) on all web properties.
  • Encryption at Rest: All data stored in our databases (PostgreSQL) and object storage (S3) is encrypted using AES-256 standard algorithms. Key management is handled via AWS KMS (Key Management Service).
  • Sensitive Data: We do not store raw credit card numbers. All billing data is tokenized and processed directly by our payment processor, Stripe (PCI-DSS Level 1 Service Provider).

3. Application Security

3.1 Authentication & Access Control

  • Dashboard Access: We support enforcing Multi-Factor Authentication (MFA) for all developer accounts.
  • API Security: API requests are authenticated using scoped API Keys. We employ rate limiting to prevent brute-force attacks and abuse.
  • Role-Based Access Control (RBAC): Internally, access to customer data is restricted to a "need-to-know" basis. Engineers access production resources through a VPN with MFA enforcement.

3.2 Secure Development Lifecycle (SDLC)

  • Code Review: All code changes require peer review and automated testing before merging.
  • Dependency Scanning: We use automated tools (e.g., Dependabot, Snyk) to scan our dependencies for known vulnerabilities (CVEs) in real-time.
  • Static Analysis: SAST tools run on every commit to detect common security flaws (OWASP Top 10) before deployment.

4. Compliance & Certifications

  • GDPR: We are fully compliant with the General Data Protection Regulation. Please see our Privacy Policy for details on our role as a Data Processor.
  • PCI-DSS: As we do not store cardholder data, we rely on Stripe's PCI compliance. We complete a Self-Assessment Questionnaire (SAQ-A) annually.
  • SOC 2 Type II: Crosspay is currently undergoing its SOC 2 Type II audit period. We expect to receive our attestation report by Q3 2026.

5. Vulnerability Disclosure

We welcome the contribution of external security researchers. If you believe you have found a security vulnerability in Crosspay, please report it to us via security@crosspay.dev.

  • Scope: Our API, Dashboard, and SDKs.
  • Safe Harbor: We will not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.
  • Bounties: We offer monetary rewards for confirmed critical vulnerabilities on a case-by-case basis.

6. Incident Response

In the event of a security breach:

  • Containment: Our security team will isolate affected systems immediately.
  • Notification: We will notify affected customers via email within 72 hours of confirming a data breach, in accordance with GDPR and local laws.
  • Transparency: We will publish a post-mortem detailing the root cause and remediation steps once the incident is resolved.

For specific security questionnaires or to request our latest penetration test summary (Enterprise customers only), please contact security@crosspay.dev.