Security

Last updated: 2026-04-21

Payment infrastructure lives and dies on its security posture. Here is exactly what we do, what we do not do, and what we will not pretend to have yet.

1. Non-custodial by design

The strongest security guarantee we offer is architectural: we do not hold merchant funds. Ever. When a customer pays with a card, the on-ramp converts fiat to USDC and our on-chain splitter atomically routes it to your Polygon wallet in the same transaction. Our servers see an event, not a balance. There is no hot wallet, no pooled treasury, no omnibus account — so there is no honeypot for an attacker to break into. If Peptide-Pay disappeared tomorrow, your past payments would still be on-chain in your wallet.

2. Infrastructure

  • Hosting: Vercel, with global edge network and DDoS protection.
  • State store: Upstash Redis with TLS in transit and AES-256 at rest.
  • Settlement: Polygon mainnet, verified on-chain — same security assumptions as the chain itself.
  • DNS & CDN: hardened with HSTS preload, CAA records pinning the CA, DNSSEC enabled.
  • Secrets: stored in Vercel's encrypted env store; rotated on employee offboarding.

3. Authentication

  • Email + password + wallet for the dashboard. Passwords are scrypt-hashed (N=32768, r=8, p=1) — never stored in plaintext, never logged.
  • Anonymous wallet-only mode is also supported: paste your address, get a payment link, no email required.
  • Dashboard sessions are short-lived (7 days) and tied to the browser that signed in.
  • Session cookies are HTTP-only, Secure, SameSite=Lax.
  • Suspicious sign-ins (new country, new ASN) trigger an email alert and can be revoked from any active session.

4. Webhooks

  • Every webhook is signed with HMAC-SHA256 using your account secret; verify before trusting the payload.
  • Signature header includes a timestamp; reject anything older than 5 minutes to prevent replay.
  • Retry queue with exponential backoff (30s, 2m, 10m, 30m, 1h, 3h, 12h, 24h) then drop.
  • Dropped webhooks remain replayable from the dashboard for 30 days.
  • We publish the current IP egress range so you can allowlist us at the firewall.

5. API keys

  • Keys are shown once, stored hashed (bcrypt) server-side; we cannot retrieve them for you.
  • Rotatable at any time from /app/settings — old and new keys work in parallel for 24 hours to let you deploy without downtime.
  • Scoped keys are planned for Q3 2026; for now keys are full-access.
  • Rate-limited per key: 100 requests/second soft, 1000/second hard.

6. Encryption

  • In transit: TLS 1.3 on every endpoint; TLS 1.2 permitted only for legacy webhook consumers and flagged for deprecation.
  • At rest: AES-256 on Upstash Redis and Vercel blob storage.
  • Customer emails are hashed (SHA-256 with per-merchant salt) before going into server logs; only the merchant dashboard renders them in clear.

7. Responsible disclosure & bug bounty

If you find a vulnerability, email security@peptide-pay.com with a PoC. Our PGP key is on /.well-known/security.txt. We commit to:

  • Acknowledge your report within 24 hours.
  • Triage and confirm within 72 hours.
  • A 90-day fix window before public disclosure, extendable by agreement.
  • Credit you in the security advisory unless you prefer anonymity.
  • Bounty range: USD 100 to USD 5,000, paid in USDC on Polygon, scaled to severity (CVSS 3.1).
  • Out of scope: social engineering, physical attacks, DoS, and anything requiring a rooted user device.

8. Incident response

If we detect or are informed of an incident affecting merchant data or service integrity:

  • Affected merchants notified by email within 24 hours of confirmation.
  • Status page updated in real time at status.peptide-pay.com.
  • Where GDPR art. 33 applies, the relevant DPA is notified within 72 hours.
  • Public post-mortem within 14 days, including root cause, timeline, and concrete remediation.
  • No hush. No "routine maintenance" euphemisms. We call incidents incidents.

9. What we do NOT claim

Honesty over marketing theater:

  • No SOC 2 report yet. On the roadmap for 2027 once volume justifies the audit cost.
  • No ISO 27001 certification yet. Same reason.
  • No PCI DSS scope — we intentionally never touch card data, so PCI does not apply to our stack. It applies to Moonpay.
  • No 24/7 SOC — on-call rotation with paging, but we are not a tier-1 bank and we do not pretend to be.
  • If any of the above is a hard requirement for your compliance program, we are probably not the right processor for you yet.

10. Contact

Security reports: security@peptide-pay.com. PGP fingerprint published at /.well-known/security.txt.