Security
Payment data demands the highest security standards. Here is how PaymentRescue protects your business and your customers.
Stripe Security Integration
PaymentRescue connects to Stripe via official OAuth and restricted API keys. We never store full card numbers, CVVs, or raw payment credentials. All payment data stays within Stripe's PCI DSS Level 1 certified infrastructure.
Encryption at Rest & In Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. We enforce HSTS with preload and automatic HTTPS redirection on all endpoints.
SOC 2 Type II Infrastructure
Our infrastructure runs on Vercel's globally distributed edge network, which maintains SOC 2 Type II compliance. All servers are monitored 24/7 with automatic failover and DDoS protection.
Data Isolation
Each customer's data is logically isolated. Stripe webhook events are verified using per-account signing secrets. No cross-account data access is possible.
Rate Limiting & Abuse Prevention
All API endpoints are rate-limited. Webhook processing includes idempotency checks to prevent duplicate actions. Suspicious activity triggers automatic blocking.
GDPR Compliance
PaymentRescue is fully GDPR-compliant. We provide data export, deletion on request, and a Data Processing Agreement (DPA) for all customers. We do not sell or share data with third parties.
Security Headers
Strict Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Permissions-Policy, and Referrer-Policy headers protect against XSS, clickjacking, and injection attacks.
Authentication & Access Control
User accounts use bcrypt-hashed passwords and secure session management. API keys are randomly generated and can be revoked instantly from the dashboard.
Report a Vulnerability
If you discover a security vulnerability, please report it via security@paymentrescue.dev. We respond to all reports within 48 hours.