Overview

At HitPay, security isn’t just a checkbox—it’s a core principle we uphold in everything we do. Our team includes ex-cybersecurity professionals with experience in highly regulated industries, such as banking, ensuring that robust security measures are embedded into every layer of our technology stack. We continuously improve our security posture through proactive assessments, rigorous testing, and a commitment to industry best practices.

Data Security

  • AES Encryption: All databases and client communications use AES encryption.
  • Encryption at Rest: Sensitive data is encrypted when stored in our systems.
  • Encryption in Transit: Data traveling to PlanetScale databases is protected using TLS, and all communications to the HitPay API and Dashboard are served exclusively over HTTPS (TLS 1.3).

Compliance & Testing

  • PCI-DSS Compliant: We maintain PCI-DSS compliance. A copy of our PCI certificate is available upon request (under NDA) via https://trust.hit-pay.com/.
  • SOC 2: We are currently undergoing SOC 2 compliance to further validate our security, availability, and confidentiality controls.
  • External Penetration Testing: We regularly engage independent security experts to conduct external penetration tests. These assessments are performed at a higher standard than the minimum requirements set by regulators, ensuring that our systems remain resilient against evolving threats.

Our promise is to safeguard your data, keep your transactions secure, and build trust through transparency and adherence to strict security standards. For additional questions or documentation requests, please reach out to us at security@hit-pay.com.

Account Security & Shared Responsibility

At HitPay, securing account access is a shared responsibility between us and our SME partners. We enforce strict controls to ensure that only authorized personnel can access sensitive information:

  • Role-Based Access Controls: Each team member is assigned specific permissions aligned with their role, reducing the risk of misuse.
  • Two-Factor Authentication (2FA): 2FA is available for implementation and is highly recommended to add an extra layer of protection even if a password is compromised.
  • Password Sharing: We highly recommend not sharing your account passwords with your staff. Instead, each individual should use their own credentials to maintain accountability.

By following these guidelines, we work together to maintain a secure and reliable access environment.