Coming Soon — TesterPayKit is in public preview. Pricing and features may still change before launch.

Security

Last updated: January 27, 2026

Our Commitment to Security

At TesterPayKit, security is foundational to everything we do. We handle sensitive data from both developers and testers, and we take that responsibility seriously. This page outlines our security practices and certifications.

Infrastructure Security

Cloud Infrastructure

  • Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification
  • Data centers located in the European Union (Frankfurt, Germany) for GDPR compliance
  • Geographic redundancy and automatic failover capabilities
  • Regular infrastructure security assessments and penetration testing

Network Security

  • Web Application Firewall (WAF) protection against common attacks
  • DDoS mitigation through Cloudflare
  • Network segmentation and isolation between services
  • Intrusion detection and prevention systems (IDS/IPS)
  • Regular vulnerability scanning and patch management

Monitoring and Logging

  • 24/7 infrastructure monitoring and alerting
  • Comprehensive audit logging of all system access
  • Log retention for security analysis and compliance
  • Real-time threat detection and automated response

Data Security

Encryption

In Transit

  • TLS 1.3 for all connections
  • HSTS enabled with preload
  • Certificate transparency logging
  • Perfect forward secrecy

At Rest

  • AES-256 encryption for all data
  • Encrypted database connections
  • Encrypted backups
  • Hardware security modules for key management

Data Classification

We classify data based on sensitivity and apply appropriate controls:

  • Public: Marketing content, documentation
  • Internal: Aggregated analytics, non-sensitive operational data
  • Confidential: User profiles, bug reports, application data
  • Restricted: Payment information, authentication credentials, PII

Data Retention and Deletion

  • Data retained only as long as necessary for business purposes
  • Automated data lifecycle management
  • Secure deletion procedures for expired data
  • User data deletion upon account termination request

Application Security

Secure Development

  • Security training for all developers
  • Secure coding guidelines and code review requirements
  • Static Application Security Testing (SAST) in CI/CD pipeline
  • Dynamic Application Security Testing (DAST) for deployed applications
  • Dependency vulnerability scanning with automated updates

Authentication and Access Control

  • Strong password requirements with breach detection
  • Multi-factor authentication (MFA) support
  • OAuth 2.0 / OpenID Connect for third-party integrations
  • Role-based access control (RBAC)
  • Session management with secure token handling
  • Automatic session timeout and logout

API Security

  • API key authentication with rotation support
  • Rate limiting and throttling
  • Input validation and sanitization
  • Protection against OWASP Top 10 vulnerabilities
  • API versioning for backward compatibility

Operational Security

Employee Security

  • Background checks for employees with data access
  • Security awareness training and phishing simulations
  • Principle of least privilege for all access
  • Multi-factor authentication for all internal systems
  • Secure remote work policies and tools

Incident Response

  • Documented incident response procedures
  • 24/7 on-call security team
  • Incident classification and escalation procedures
  • Post-incident review and lessons learned
  • Customer notification within 72 hours for security incidents affecting their data

Business Continuity

  • Regular backups with tested recovery procedures
  • Disaster recovery plan with defined RTO/RPO
  • Geographic redundancy for critical systems
  • Annual business continuity testing

Compliance and Certifications

GDPR

Full compliance with the EU General Data Protection Regulation, including data subject rights, lawful processing, and cross-border transfer mechanisms.

ISO 27001

Information security management system aligned with ISO 27001 standards. Certification in progress.

SOC 2 Type II

Annual SOC 2 Type II audits for security, availability, and confidentiality trust service criteria.

PCI DSS

Payment processing handled by PCI DSS Level 1 certified providers. We do not store credit card numbers.

Responsible Disclosure

We appreciate the security research community and welcome reports of potential vulnerabilities. If you believe you have found a security issue, please report it to us responsibly.

Reporting Guidelines

  • Email your findings to security@testerpaykit.com
  • Include detailed steps to reproduce the vulnerability
  • Allow us reasonable time to investigate and fix the issue
  • Do not access or modify other users' data
  • Do not perform attacks that could harm the availability of our services

Our Commitment

  • Acknowledge receipt within 24 hours
  • Provide an initial assessment within 5 business days
  • Keep you informed of our progress
  • Credit researchers who report valid vulnerabilities (with permission)
  • Not pursue legal action against good-faith security researchers

Bug Bounty: We offer rewards for qualifying vulnerability reports. Contact us for details about our bug bounty program.

Security Updates

We publish security advisories for significant issues that may affect our users. Subscribe to our security mailing list to receive notifications.

Subscribe to Security Updates

Security Contact

For security-related inquiries or to report a vulnerability:

Security Team: security@testerpaykit.com

PGP Key: Download our PGP public key

Response Time: Security issues acknowledged within 24 hours