PCI DSS Level 1
Audited annually since 2024. Token vault, P2PE, scoping reduction for every customer integration.
Security Built into the API, not bolted on
Security as a property of the platform.
Reparpay is built so the platform is the auditor. Every charge, refund and dispute is signed, journaled and replayed against the same model your security team would have written by hand.
01 Certifications & assurance
Open the trust center
Compliance that shows its work.
SOC 2 Type II
Continuous attestation. Trust principles: Security, Availability, Confidentiality, Processing Integrity, Privacy.
ISO 27001 & 27701
Information security management and privacy information management. Mature controls program, owner per control, evidence on demand.
GDPR & DSA
Data residency in EU, full DPA on every contract, DPIA library you can plug into your registry of processing activities.
PSD2 & SCA
Strong Customer Authentication routed where it lifts conversion, with full exemption library applied where eligible. PSD3 ready.
HIPAA & HITRUST
For healthcare-adjacent customers: BAA on request, lifecycle-managed PHI handling, on-prem ledger replica for in-scope workloads.
02 Encryption & key management
Every byte, encrypted twice.
Card data is tokenised at ingress and never traverses your system. Tokens are encrypted at rest with envelope keys rotated quarterly under FIPS 140-3 Level 3 HSMs in Frankfurt, Paris and Virginia. Application-level encryption protects PII a second time, with per-tenant data keys.
- TLS 1.3 end-to-end, with perfect forward secrecy and HSTS preload.
- BYOK on Enterprise — bring your own KMS keys, revoke access without our involvement.
- Field-level encryption for selected payloads (e.g. PII metadata).
- Cryptographic agility — algorithm and key length parameterised, rotation tested quarterly.
key/master rotated 14 days ago
envelope/eu-paris 1,420 wrapping ops/sec
envelope/eu-frankfurt 1,318 wrapping ops/sec
algo/aes-256-gcm hardware acceleration on
last replay 2026-05-19 03:14 UTC
03 Trust center
What we publish, by default.
Status & uptime
Five-region status page with synthetic checks every 10 seconds. Historical incident notes and full RCAs published within 5 working days.
Sub-processor list
Live registry of every sub-processor with notice period, scope, location and contractual basis. Customers are notified 30 days before any change.
Vulnerability disclosure
Public security.txt, hall of fame, paid bounty program. We've paid €380k since 2024 to researchers; median triage time is 38 hours.
Incident communications
Customers contacted via 4 channels within 1 hour of a P1, written postmortem within 7 days, regulator notification within 72h where required.
Production regions0EU, US, UK, MEA, APAC, with active-active failover.
2025 uptime, EU0Three minor incidents, all within SLA. Public postmortems available.
Median PR security review0Every change reviewed for security impact before merge, no exceptions.
Need the full report?
SOC 2, PCI AOC, ISO certificate and penetration testing summary are available under NDA. Drop us a line and we'll send the bundle within a working day.