Security Statement

DjetPay Inc. (DjetPay)

Effective: November 6, 2025

Our security commitment

DjetPay protects customer data with layered controls across people, process, and technology. We use industry-standard encryption, access controls, monitoring, and secure development practices. Payment data is handled by PCI-DSS compliant processors.

Defense in Depth

1. Scope and Responsibilities

This statement describes security practices for DjetPay's production services, websites, APIs, and support operations (the "Services"). Security is a shared responsibility between DjetPay, our service providers, and you as the account owner. For privacy practices, see our Privacy Policy.

2. Infrastructure and Network Security

Hosting

  • Services are hosted on reputable cloud providers with physical security, redundancy, and certifications (for example, SOC 1/2, ISO 27001).
  • Production resources are segmented from development and testing environments.

Network

  • Perimeter protections include managed firewalls, security groups, and least-privilege traffic rules.
  • All external access uses TLS 1.2+ with HSTS; strong ciphers are preferred.

3. Data Protection and Privacy

  • Encryption in transit: HTTPS/TLS for all public endpoints and service-to-service communications where feasible.
  • Encryption at rest: Provider-managed encryption for databases, storage, and backups.
  • Data minimization: We collect only what is necessary to provide the Services.
  • Backups: Regular backups with integrity checks and access controls.
  • Privacy: See our Privacy Policy and Data Processing Addendum at /legal/dpa.

4. Application Security

  • Secure SDLC practices including code review, dependency scanning, and change control.
  • Role-based access controls within the application; optional multi-factor authentication for users where available.
  • Input validation, output encoding, CSRF protections, and session management aligned with OWASP guidance.

5. Payments and PCI

DjetPay does not store full card numbers or bank account credentials. Sensitive payment data is handled by PCI-DSS compliant processors. For details on payment flows, fees, and dispute handling, see our Payment Disclosure.

6. Identity, Access, and Secrets Management

  • Administrative access requires strong authentication and least-privilege roles.
  • Secrets (for example, API keys, tokens, credentials) are stored in a managed secrets service and rotated regularly.
  • Access is reviewed periodically and revoked on role change or separation.

7. Vulnerability and Patch Management

  • Automated scanning of code and infrastructure dependencies with defined SLAs for remediation based on severity.
  • Regular operating system and runtime patching for production systems.
  • Targeted penetration testing or third-party assessments may be conducted periodically.

8. Logging and Monitoring

  • Centralized logging for production systems, with retention consistent with legal and operational needs.
  • Security and performance monitoring with alerting for suspicious activity and service degradation.

9. Incident Response

  • Documented incident response procedures with defined roles, severity levels, and escalation paths.
  • Customer notification of security incidents in accordance with applicable laws and contractual commitments.

10. Business Continuity and Disaster Recovery

  • Regular backups and recovery testing of critical data stores.
  • Architecture designed for redundancy within provider regions; recovery time objectives vary by component.

11. Compliance and Attestations

Our cloud providers maintain industry certifications (for example, SOC, ISO). DjetPay aligns internal controls to recognized frameworks and continually improves processes. Current summaries and reports may be requested by contacting us.

If you require a security questionnaire or due diligence package, visit /security-report or email security@djetpay.com.

12. Subprocessors

We use carefully vetted service providers to deliver the Services. A current list of subprocessors is available at /subprocessors. We require each subprocessor to implement appropriate security measures and to process personal data only for specified purposes.

13. Your Security Responsibilities

  • Use strong, unique passwords and enable multi-factor authentication where available.
  • Assign least-privilege roles to your team and review access regularly.
  • Protect API keys, webhooks, and client secrets. Do not share credentials.
  • Configure email, domain, and network security in your environment (for example, SPF, DKIM, DMARC).

14. Responsible Disclosure

We welcome reports of potential vulnerabilities. Please email security@djetpay.com with a good-faith description and steps to reproduce. Do not access data that is not yours, disrupt services, or violate privacy. We will acknowledge receipt and work to remediate validated issues.

15. Contact

DjetPay Inc. (DjetPay)
security@djetpay.com