Enterprise payments infrastructure
We process sensitive financial data and facilitate capital movement. Our systems operate at the highest standards of protection—not because we have to, but because our customers demand it and we agree.
Defence in depth
We implement security at the infrastructure, application, and process level — so a failure in one layer cannot compromise the whole system.
All data stored on TxnTrust infrastructure is encrypted using AES-256. Every connection between clients and our servers is protected by TLS 1.3, the current industry gold standard.
No user is trusted by default—even internal ones. All access is scoped, authenticated, and logged. Our RBAC system ensures that a merchant can only see and act on their own data.
Time-based one-time password (TOTP) MFA is required for all platform users. Sensitive operations—like authorizing wire transfers—enforce an MFA challenge even on active sessions.
Every read and write operation on the platform is logged to an append-only audit log. Logs are tamper-evident and retained for a minimum of 12 months to support forensic investigation and compliance reporting.
API keys and secrets are never stored in plain text. We use industry-standard key derivation functions and enforce automatic secret rotation. Production credentials are accessible only through strict IAM controls.
Every transaction is scored in real time against configurable risk rules including velocity checks, geographic risk assessment, unusual amount detection, and counterparty screening. Flagged transactions are automatically held for manual review.
Compliance
TxnTrust is designed from the ground up for the compliance requirements of the financial industry. We actively maintain certifications and regulatory postures so that our customers can confidently meet their own obligations.
Our compliance team monitors regulatory developments across key jurisdictions and updates our policies and controls accordingly.
SOC 2 Type II
Audit engagement underway with expected certification in Q1 2027.
GDPR
Data processing agreements available. EU data residency options supported.
CCPA
California consumer rights fully honoured with documented data deletion workflows.
PCI DSS
Card data handling scoped through our Stripe integration. No raw PAN storage.
AML / KYB
Know-Your-Business verification required for all merchant accounts.
Responsible Disclosure
We deeply value the work of the security research community. If you discover a potential vulnerability in our platform, please report it to us privately before public disclosure. We commit to acknowledging your report within 48 hours, providing regular updates on our investigation, and crediting researchers who report valid issues.