Documentation Index
Fetch the complete documentation index at: https://docs.orsunpay.com/llms.txt
Use this file to discover all available pages before exploring further.
Security and Compliance
Orsunpay maintains the highest security standards to protect your data and ensure compliance with global regulations.Security Standards
Data Encryption
- At Rest: AES-256 encryption for all stored data
- In Transit: TLS 1.3 for all API communications
- Key Management: Hardware security modules (HSMs)
- Database: Encrypted database storage with column-level encryption for sensitive data
Network Security
- Firewall Protection: Multi-layer firewall architecture
- DDoS Protection: Advanced DDoS mitigation
- Network Segmentation: Isolated network zones for different services
- VPN Access: Secure VPN access for administrative functions
Access Controls
- Multi-Factor Authentication: Required for all administrative access
- Role-Based Access Control: Granular permission management
- API Key Security: Scoped API keys with configurable permissions
- Session Management: Secure session handling with automatic expiration
Compliance Certifications
PCI DSS Level 1 (Planned)
Orsunpay is working toward PCI DSS Level 1 certification:- Current Status: PCI DSS Level 2 compliant
- Target: Level 1 certification by Q2 2024
- Scope: Full compliance for card data processing
- Benefits: Enhanced security for card transactions
SOC 2 Type II
- Certification: SOC 2 Type II compliant
- Scope: Security, availability, processing integrity
- Audit Frequency: Annual third-party audits
- Reports: Available to enterprise customers
ISO 27001
- Status: ISO 27001:2013 certified
- Scope: Information security management system
- Coverage: All Orsunpay operations and data centers
- Maintenance: Continuous monitoring and improvement
Data Protection
GDPR Compliance
Full compliance with European General Data Protection Regulation:- Data Minimization: Collect only necessary personal data
- Purpose Limitation: Use data only for specified purposes
- Retention Limits: Automatic data deletion after retention periods
- Data Subject Rights: Support for access, rectification, and deletion requests
- Privacy by Design: Built-in privacy protections
Data Processing Agreements
- Standard DPAs: Available for all merchants
- Custom Terms: Enterprise-specific data processing agreements
- Lawful Basis: Clear legal basis for all data processing
- International Transfers: Appropriate safeguards for cross-border transfers
Data Retention Policies
| Data Type | Retention Period | Purpose |
|---|---|---|
| Transaction Records | 7 years | Regulatory compliance |
| Customer PII | 3 years after last activity | Business operations |
| API Logs | 90 days | Security monitoring |
| Audit Logs | 7 years | Compliance requirements |
| Marketing Data | Until consent withdrawn | Marketing communications |
Regional Compliance
United States
- PCI DSS: Payment Card Industry compliance
- SOX: Sarbanes-Oxley Act compliance for public merchants
- State Laws: Compliance with state-specific privacy laws
- AML/KYC: Anti-money laundering and know-your-customer requirements
European Union
- GDPR: General Data Protection Regulation
- PSD2: Payment Services Directive 2
- AML5: Fifth Anti-Money Laundering Directive
- SEPA: Single Euro Payments Area regulations
Other Regions
- Canada: PIPEDA compliance
- Australia: Privacy Act compliance
- Brazil: LGPD (Lei Geral de Proteção de Dados)
- Singapore: PDPA (Personal Data Protection Act)
Security Monitoring
24/7 Security Operations Center
- Threat Detection: Real-time threat monitoring
- Incident Response: Immediate response to security incidents
- Vulnerability Management: Regular security assessments
- Penetration Testing: Quarterly third-party security testing
Monitoring Capabilities
- Network Monitoring: Continuous network traffic analysis
- Application Security: Real-time application security monitoring
- Database Activity: Database access and query monitoring
- API Security: API endpoint monitoring and rate limiting
Incident Response
Response Process
- Detection: Automated and manual threat detection
- Assessment: Immediate impact assessment
- Containment: Isolate and contain security incidents
- Investigation: Detailed forensic investigation
- Resolution: Implement fixes and security improvements
- Communication: Notify affected parties as required
Communication Protocol
- Internal Escalation: Immediate internal notification
- Customer Notification: Within 72 hours for data breaches
- Regulatory Reporting: As required by applicable laws
- Public Disclosure: When legally required or appropriate
Merchant Responsibilities
Security Best Practices
- API Key Management: Secure storage and rotation of API keys
- HTTPS Enforcement: Use HTTPS for all integrations
- Input Validation: Validate all user inputs
- Access Controls: Implement proper access controls
- Regular Updates: Keep systems and dependencies updated
Compliance Requirements
- Data Handling: Follow data protection requirements
- Audit Cooperation: Participate in compliance audits
- Incident Reporting: Report suspected security incidents
- Documentation: Maintain proper security documentation
Audit and Reporting
Regular Audits
- Internal Audits: Quarterly internal security audits
- External Audits: Annual third-party security assessments
- Compliance Audits: Regular compliance verification
- Penetration Testing: Quarterly penetration testing
Reporting
- Compliance Reports: Available to merchants upon request
- Audit Results: Summary reports for certified merchants
- Security Metrics: Regular security posture updates
- Incident Reports: Post-incident analysis and improvements
Data Subject Rights
GDPR Rights Support
We support all GDPR data subject rights:- Access: Right to access personal data
- Rectification: Right to correct inaccurate data
- Erasure: Right to deletion (“right to be forgotten”)
- Portability: Right to data portability
- Restriction: Right to restrict processing
- Objection: Right to object to processing
Request Process
- Submit Request: Email [email protected]
- Identity Verification: Verify identity to prevent fraud
- Request Processing: Process within 30 days
- Response: Provide requested information or action
- Appeals: Right to appeal decisions
Security Resources
Documentation
- Security Policies: Detailed security policy documentation
- Integration Guides: Security best practices for integration
- Incident Procedures: Security incident response procedures
- Compliance Guides: Compliance requirement documentation
Support
- Security Team: Dedicated security support team
- Compliance Consultation: Compliance guidance for merchants
- Training: Security awareness training programs
- Resources: Security tools and resources library
Contact Information
- Security Issues: [email protected]
- Privacy Questions: [email protected]
- Compliance: [email protected]
- General Support: [email protected]
Security and compliance are shared responsibilities. While Orsunpay provides a secure platform, merchants must implement appropriate security measures in their own systems.