PCI
PCI-DSS Level 1
Service provider, 6M+ tx/year. Audited annually by Foregenix (QSA), current AOC available under NDA.
SECURITY · compliance · data · ops
Whaliepay sits in the payments path of merchants handling €10M+/year. We treat that responsibility the way you would treat your bank's vault — and audit it under three independent regimes every twelve months.
Every certification listed below is current, the audit report is available under NDA, and the audit firm is named. We never re-use a "year-old" attestation for a new region.
Service provider, 6M+ tx/year. Audited annually by Foregenix (QSA), current AOC available under NDA.
Trust Services Criteria · Security, Availability, Confidentiality. Continuous reporting via Vanta + auditor: Sensiba LLP.
Information security management system, certified by Bureau Veritas, full surveillance audit every 12 months.
Standard contractual clauses + EU-only data residency by default. DPA signable from console, no negotiation needed.
Strong customer authentication compliant — 3DS handling, frictionless routing and exemption flagging.
Privacy extension to 27001, audited together. Demonstrates GDPR / privacy by design implementation.
California consumer privacy compliant. Subject access requests handled within 30 days from the console.
BAA available for Enterprise customers in regulated healthcare adjacency. Audited by a third-party HIPAA specialist.
Card data never leaves the PCI-scoped vault. Application services interact with the vault through tokens only. Keys are wrapped by an HSM, rotated quarterly, and never present in plaintext outside the secure module.
Cards stored in a dedicated PCI-scoped Postgres cluster, encrypted with AES-256-GCM. Data encryption keys are wrapped by a key encryption key held in a FIPS 140-2 Level 3 HSM (Thales Luna). Quarterly key rotation, dual-control for every operation.
Sensitive operations (key rotation, role changes, vault access, prod deploy) require a second approver. The Slack-bot trigger and the approval audit are both immutable, append-only logs replicated across two regions.
Three VPC tiers — public ingress, application, vault — each with explicit security-group rules. Vault tier accepts only mTLS connections from the application tier on a single port, audited by a private CA we own end-to-end.
All commits scanned in CI with Gitleaks + custom rules. Secrets found in CI block the build. Hourly scans of all repos for leaked credentials. Production secrets live only in Vault by HashiCorp, never in env files.
All employee laptops have full-disk encryption, MDM, EDR (CrowdStrike), and conditional-access SSO for all production-adjacent tools. Hardware keys (YubiKey) for vault access, MFA mandatory for everything else.
Base images rebuilt nightly. Critical CVE patching SLA: 24h. High CVE: 7 days. Containers re-deployed on patched base images via a rolling deploy with no service interruption.
Every byte of merchant data (cards, transactions, ledger lines, audit log) lives in the EU by default. The application services run in EU regions. Backup, monitoring and analytics all sit on EU infrastructure. US data residency is available on opt-in for North-American merchants.
Whaliepay relies on twelve vendors to deliver the platform. Each one is named below with their role, region and the relevant compliance posture. Customers are notified 30 days before any addition or change.
The full subprocessor list, with sub-processor flow-down clauses, is in the DPA. PSPs (Stripe, Adyen, Mollie, etc.) are not subprocessors — they are independent controllers of the cardholder data Whaliepay forwards on the merchant's behalf.
Whaliepay commissions a full-scope penetration test from NCC Group every quarter. Each test covers the routing engine API, the token vault, the console UI, the console backend, and the production CI/CD pipeline. Findings are remediated in the SLA below, then re-tested.
Findings (anonymised, by severity and class) are published in our annual transparency report. The full report, with remediation details, is shared under NDA with prospects evaluating Whaliepay.
If you find a vulnerability in Whaliepay, we want to hear about it — and we pay for valid reports. Submit to [email protected] (PGP fingerprint below). We acknowledge within 24h and aim to triage within 72h.
Out of scope: denial of service, social engineering, physical attacks, attacks on subprocessors, attacks on customer data. Safe-harbor: we will not pursue legal action against researchers acting in good faith under our published policy.
Customers can download every compliance document from the console under Settings → Compliance. Prospects can request them by signing a one-page NDA from the contact form.
Current period · Q4 2025 → Q1 2026 · audited by Sensiba LLP. 88 pages, 4 trust criteria, zero qualified opinions.
Request via NDA →Level 1 service provider, current AOC issued by Foregenix (QSA), valid 2025-09 → 2026-09.
Request via NDA →Pre-signed by Whaliepay, customer countersigns from the console. SCCs included, transfer impact assessment available.
Read the public summary →Issued by Bureau Veritas, scope statement included. Public — downloadable without NDA.
Public download →NCC Group · 2026-Q1 · executive summary. Detailed report under NDA + procurement approval.
Request via NDA →Pre-filled SIG Lite and CAIQ v4 for procurement teams. Saves you 8-12 hours of vendor risk assessment.
Request →We've designed for incident response to be the same way customers experience routine operations: visible, audited, time-boxed. Our published playbook is below; the full IR plan is in the customer portal under Settings → Security.
Auto-detection via SIEM (Datadog Cloud SIEM) + on-call paged in < 60s. Triage within 15min. Initial severity assigned within 30min.
Critical / High incidents: status page + email to affected customers within 60min of confirmation. Hourly updates until resolved.
Data-breach notification within 24h. The first notification carries our preliminary understanding; a full notice follows within 72h per GDPR Art. 33.
Blameless post-mortem published within 14 days of resolution for every Critical / High incident. Permanent action items tracked in the customer portal.
For breaches affecting EU personal data, we notify the lead DPA (CNIL, France) within 72h. Acquirers and PSPs receive parallel notice per our contractual obligations.
Quarterly tabletop exercise with engineering, ops and legal — simulated breach, regulator notification, customer comms drill. Findings feed back into the IR plan.
SIG Lite, CAIQ, SOC 2 Type II, PCI AOC, ISO 27001 certificate, DPA — every artefact your security and procurement teams need is one click away.