Compliance & Security

Our commitment to industry standards and regulations

Overview

VeilPay maintains the highest standards of security and compliance. We undergo regular audits and continuously update our practices to meet evolving regulatory requirements and industry best practices.

PCI DSS Level 1 Compliance

PCI DSS Level 1 Certified

VeilPay is certified as a PCI DSS Level 1 Service Provider, the highest level of certification in the payments industry. This means we process over 6 million transactions annually and meet the most stringent security standards.

Our PCI DSS compliance includes:

  • Secure network architecture with firewalls
  • Encryption of cardholder data at rest and in transit (AES-256)
  • Restricted access to cardholder data
  • Regular security testing and monitoring
  • Annual on-site assessments by Qualified Security Assessors (QSA)
  • Quarterly network vulnerability scans

SOC 2 Type II

VeilPay has successfully completed SOC 2 Type II audit, demonstrating our commitment to:

  • Security: Protection against unauthorized access
  • Availability: System uptime and operational performance
  • Confidentiality: Protection of sensitive information
  • Privacy: Personal information management

SOC 2 reports available to enterprise customers under NDA.

GDPR Compliance

We fully comply with the General Data Protection Regulation (GDPR) for processing personal data of EU residents. See our dedicated GDPR page for details.

AML & KYC

VeilPay implements robust Anti-Money Laundering (AML) and Know Your Customer (KYC) procedures:

  • Identity verification for all merchants
  • Continuous transaction monitoring
  • Suspicious activity reporting (SAR)
  • Sanctions screening against OFAC lists
  • Beneficial ownership verification

Data Protection

Encryption

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 for all connections
  • Card Data: Tokenization with no plain text storage
  • Keys: HSM-based key management

Infrastructure Security

  • Multi-region redundancy with automatic failover
  • DDoS protection and rate limiting
  • Intrusion detection and prevention systems (IDS/IPS)
  • 24/7 security operations center (SOC)
  • Regular penetration testing by third-party experts

Regulatory Compliance

United States

  • • Bank Secrecy Act (BSA)
  • • USA PATRIOT Act
  • • State Money Transmitter Licenses
  • • CCPA (California Consumer Privacy Act)

International

  • • GDPR (European Union)
  • • UK Data Protection Act
  • • PIPEDA (Canada)
  • • APRA (Australia)

Access Controls

We implement strict access controls to protect sensitive data:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) required for all staff
  • Principle of least privilege
  • Regular access reviews and audits
  • Automated deprovisioning for terminated accounts

Incident Response

VeilPay maintains a comprehensive incident response plan:

  • 24/7 security monitoring and alerting
  • Defined escalation procedures
  • Incident response team on call
  • Regular incident response drills
  • Breach notification protocols meeting regulatory requirements

Third-Party Security

We carefully vet all third-party service providers:

  • Security questionnaires and assessments
  • Contractual security requirements
  • Regular vendor reviews
  • Limited data sharing based on need

Employee Security Training

All VeilPay employees undergo comprehensive security training:

  • Security awareness training upon hire
  • Annual refresher training
  • Phishing simulation exercises
  • PCI DSS and compliance training
  • Incident response training

Audits and Certifications

VeilPay undergoes regular third-party audits:

  • Annual PCI DSS assessment by QSA
  • SOC 2 Type II audit (annual)
  • Quarterly vulnerability scans
  • Annual penetration testing
  • Regular code security reviews

Responsible Disclosure

We welcome security researchers to report vulnerabilities through our responsible disclosure program:

Email: security@veilpay.com
PGP Key: Available upon request

We commit to acknowledging reports within 24 hours and providing updates on remediation.

Contact Compliance Team

For compliance inquiries or to request documentation:

Email: compliance@veilpay.com
Phone: +1 (415) 555-0123
Address: Compliance Department, VeilPay Inc., 123 Privacy Lane, San Francisco, CA 94102