The strongest security property in any payment system is not holding funds in the first place. Every other guarantee — HMAC signatures, TLS, rate limits — sits on top of that foundation.
We never hold merchant funds. Not even for the 30 seconds between Moonpay completing a card charge and USDC landing in your wallet. The PayGate splitter contract fires atomically in a single block — our fee, PayGate's fee, and your payout all move in one transaction, or none at all.
This means: a compromised Peptide-Pay employee key cannot drain your wallet. A database breach at Upstash cannot drain your wallet. A compromise of our Cloudflare account cannot drain your wallet. The only way to move USDC out of your wallet is with your private key, which we never see or store.
The worst thing an attacker can do through Peptide-Pay is stop your checkout from working. They cannot steal settled funds because we do not possess them.
Every webhook we send is signed with your merchant secret key using HMAC-SHA-256. Verify the signature before trusting a webhook payload — standard Stripe-style verification pattern. Example code in the docs.
When a webhook fires, we recommend your server re-polls the PayGate session API to confirm on-chain settlement before fulfilling an order. Our SDK does this automatically. Belt and braces.
All API endpoints, the dashboard, the widget CDN, and webhook deliveries use TLS 1.3 with modern cipher suites. HSTS with preload on every public domain.
Per-IP and per-API-key limits on every route. Abuse patterns (scraping, session spam, webhook replay) are blocked at the edge by Cloudflare before hitting our origin.
We never touch card data. The card form is hosted by Moonpay, which holds the PCI DSS Level 1 certification. Our infrastructure has no PCI scope because no cardholder data ever flows through it.
We store API keys as Argon2id hashes. Plaintext is shown once at creation time. If our database leaked, no key can be used to impersonate a merchant.
No shared admin credentials. Short-lived cloud tokens. Production database access is logged and time-limited per engineer request.
Every incoming merchant wallet is screened against OFAC SDN and Chainalysis sanctioned-address lists before we issue a first checkout session. Flagged wallets are refused automatically.
We are open about what we have and what we do not have yet.
Engagement starts Q3 2026. Target report delivery within 12 months of this page's publication.
The splitter contract is operated by PayGate. We review their audit reports but do not re-audit on our side.
Public program with scoped rewards. Until then, report findings to security@peptide-pay.com — we acknowledge within 48 hours.
Found something? Email security@peptide-pay.com. Include reproduction steps and your wallet address (optional) if you would like a bounty on file for when the program launches. We will acknowledge within 48 hours and keep you updated through remediation.
Please do not test findings against live merchant wallets or customer sessions that do not belong to you. Set up your own test account at /start.