Security and Compliance
Orsunpay maintains the highest security standards to protect your data and ensure compliance with global regulations.Security Standards
Data Encryption
- At Rest: AES-256 encryption for all stored data
- In Transit: TLS 1.3 for all API communications
- Key Management: Hardware security modules (HSMs)
- Database: Encrypted database storage with column-level encryption for sensitive data
Network Security
- Firewall Protection: Multi-layer firewall architecture
- DDoS Protection: Advanced DDoS mitigation
- Network Segmentation: Isolated network zones for different services
- VPN Access: Secure VPN access for administrative functions
Access Controls
- Multi-Factor Authentication: Required for all administrative access
- Role-Based Access Control: Granular permission management
- API Key Security: Scoped API keys with configurable permissions
- Session Management: Secure session handling with automatic expiration
Compliance Certifications
PCI DSS Level 1 (Planned)
Orsunpay is working toward PCI DSS Level 1 certification:- Current Status: PCI DSS Level 2 compliant
- Target: Level 1 certification by Q2 2024
- Scope: Full compliance for card data processing
- Benefits: Enhanced security for card transactions
SOC 2 Type II
- Certification: SOC 2 Type II compliant
- Scope: Security, availability, processing integrity
- Audit Frequency: Annual third-party audits
- Reports: Available to enterprise customers
ISO 27001
- Status: ISO 27001:2013 certified
- Scope: Information security management system
- Coverage: All Orsunpay operations and data centers
- Maintenance: Continuous monitoring and improvement
Data Protection
GDPR Compliance
Full compliance with European General Data Protection Regulation:- Data Minimization: Collect only necessary personal data
- Purpose Limitation: Use data only for specified purposes
- Retention Limits: Automatic data deletion after retention periods
- Data Subject Rights: Support for access, rectification, and deletion requests
- Privacy by Design: Built-in privacy protections
Data Processing Agreements
- Standard DPAs: Available for all merchants
- Custom Terms: Enterprise-specific data processing agreements
- Lawful Basis: Clear legal basis for all data processing
- International Transfers: Appropriate safeguards for cross-border transfers
Data Retention Policies
| Data Type | Retention Period | Purpose |
|---|---|---|
| Transaction Records | 7 years | Regulatory compliance |
| Customer PII | 3 years after last activity | Business operations |
| API Logs | 90 days | Security monitoring |
| Audit Logs | 7 years | Compliance requirements |
| Marketing Data | Until consent withdrawn | Marketing communications |
Regional Compliance
United States
- PCI DSS: Payment Card Industry compliance
- SOX: Sarbanes-Oxley Act compliance for public merchants
- State Laws: Compliance with state-specific privacy laws
- AML/KYC: Anti-money laundering and know-your-customer requirements
European Union
- GDPR: General Data Protection Regulation
- PSD2: Payment Services Directive 2
- AML5: Fifth Anti-Money Laundering Directive
- SEPA: Single Euro Payments Area regulations
Other Regions
- Canada: PIPEDA compliance
- Australia: Privacy Act compliance
- Brazil: LGPD (Lei Geral de Proteção de Dados)
- Singapore: PDPA (Personal Data Protection Act)
Security Monitoring
24/7 Security Operations Center
- Threat Detection: Real-time threat monitoring
- Incident Response: Immediate response to security incidents
- Vulnerability Management: Regular security assessments
- Penetration Testing: Quarterly third-party security testing
Monitoring Capabilities
- Network Monitoring: Continuous network traffic analysis
- Application Security: Real-time application security monitoring
- Database Activity: Database access and query monitoring
- API Security: API endpoint monitoring and rate limiting
Incident Response
Response Process
- Detection: Automated and manual threat detection
- Assessment: Immediate impact assessment
- Containment: Isolate and contain security incidents
- Investigation: Detailed forensic investigation
- Resolution: Implement fixes and security improvements
- Communication: Notify affected parties as required
Communication Protocol
- Internal Escalation: Immediate internal notification
- Customer Notification: Within 72 hours for data breaches
- Regulatory Reporting: As required by applicable laws
- Public Disclosure: When legally required or appropriate
Merchant Responsibilities
Security Best Practices
- API Key Management: Secure storage and rotation of API keys
- HTTPS Enforcement: Use HTTPS for all integrations
- Input Validation: Validate all user inputs
- Access Controls: Implement proper access controls
- Regular Updates: Keep systems and dependencies updated
Compliance Requirements
- Data Handling: Follow data protection requirements
- Audit Cooperation: Participate in compliance audits
- Incident Reporting: Report suspected security incidents
- Documentation: Maintain proper security documentation
Audit and Reporting
Regular Audits
- Internal Audits: Quarterly internal security audits
- External Audits: Annual third-party security assessments
- Compliance Audits: Regular compliance verification
- Penetration Testing: Quarterly penetration testing
Reporting
- Compliance Reports: Available to merchants upon request
- Audit Results: Summary reports for certified merchants
- Security Metrics: Regular security posture updates
- Incident Reports: Post-incident analysis and improvements
Data Subject Rights
GDPR Rights Support
We support all GDPR data subject rights:- Access: Right to access personal data
- Rectification: Right to correct inaccurate data
- Erasure: Right to deletion (“right to be forgotten”)
- Portability: Right to data portability
- Restriction: Right to restrict processing
- Objection: Right to object to processing
Request Process
- Submit Request: Email [email protected]
- Identity Verification: Verify identity to prevent fraud
- Request Processing: Process within 30 days
- Response: Provide requested information or action
- Appeals: Right to appeal decisions
Security Resources
Documentation
- Security Policies: Detailed security policy documentation
- Integration Guides: Security best practices for integration
- Incident Procedures: Security incident response procedures
- Compliance Guides: Compliance requirement documentation
Support
- Security Team: Dedicated security support team
- Compliance Consultation: Compliance guidance for merchants
- Training: Security awareness training programs
- Resources: Security tools and resources library
Contact Information
- Security Issues: [email protected]
- Privacy Questions: [email protected]
- Compliance: [email protected]
- General Support: [email protected]
Security and compliance are shared responsibilities. While Orsunpay provides a secure platform, merchants must implement appropriate security measures in their own systems.