Security & Compliance
Trust is foundational to everything we build. Learn about our security practices and compliance posture.
Security Practices
Encryption at Rest & In Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. API keys are hashed and never stored in plaintext.
Consent-Based Data Access
TapSign operates on explicit user consent. Users must authorize data access before any transaction data is shared.
Data Minimization
We only collect and store data necessary for the requested functionality. No extraneous data retention.
Access Controls
Role-based access control, audit logging, and principle of least privilege across all systems.
Secure Development
Security reviews, dependency scanning, and penetration testing are part of our development lifecycle.
Incident Response
Documented incident response procedures with defined escalation paths and communication protocols.
Compliance
Our compliance roadmap and current certifications.
SOC 2 Type II
Audit scheduled for Q2 2024
PCI DSS
SAQ-D self-assessment in progress
GDPR
Full GDPR compliance with DPA available
CCPA
California Consumer Privacy Act compliant
Data Handling
What data does TapSign process?
TapSign processes transaction data including amounts, merchant information, timestamps, and tokenized payment method identifiers. We do not receive or store full card numbers (PANs).
How is data stored?
Data is stored in encrypted databases within secure cloud infrastructure. We use multi-tenant architecture with strict tenant isolation. Data residency options are available for enterprise customers.
Data retention
Transaction data is retained according to your configured retention policy. Default retention is 90 days, with extended retention available for compliance requirements.
Security questions?
Our security team is available to discuss our practices and answer any questions.
Contact Security Team