Security
Pabopay holds balances, splits payments and pays out billions of euros on behalf of platforms. That only works if every euro is protected end to end. We hold the certifications, run KYC and AML on every seller you onboard, encrypt data with HSM-backed keys, and publish the evidence in our trust center.
Certifications
Independent assessors review our controls on a continuous basis. Current attestations and reports are available on request in the trust center below.
The highest level of card-data security, assessed annually by a Qualified Security Assessor across our entire cardholder-data environment.
An independent report on the operating effectiveness of our security, availability and confidentiality controls over a continuous audit window.
A certified information security management system governing how we identify, treat and continuously reduce risk across the company.
EU data protection by design: lawful processing, data-subject rights, a published sub-processor list and standard contractual clauses for transfers.
Strong Customer Authentication and 3-D Secure 2 built into checkout, with exemption handling to keep conversion high where the rules allow.
A certified business continuity management system with tested disaster-recovery runbooks so payouts keep moving through disruption.
KYC / AML for sub-merchants
When you put a seller on your platform, Pabopay becomes the regulated layer that knows who they are. We verify each sub-merchant before a single euro moves, then keep watching for as long as they take payouts.
You get a clean pass or fail and an audit-ready evidence trail. We carry the records, file the reports and refresh checks on a schedule, so onboarding a seller never turns you into a compliance department.
Encryption & key management
Card numbers and account data are protected at every layer. Keys live in hardware, access is least-privilege by default, and raw card numbers never touch your systems.
Data residency & resilience
Choose where your data lives and trust that payouts keep flowing. We run active-active across availability zones with tested recovery and immutable backups.
Keep customer and payout data in the EU, US or another supported region. Data stays where you pin it, with residency guaranteed contractually.
A multi-region, active-active architecture with no single point of failure. Our public status page tracks every API and payout rail in real time.
Cross-region failover with aggressive recovery objectives — RPO under one minute, RTO under fifteen — rehearsed in regular game-day drills.
Encrypted, point-in-time backups written to write-once storage and restore-tested continuously, so the ledger can always be rebuilt intact.
Logical isolation between platforms with scoped keys and per-tenant encryption, so one customer's data is never reachable from another's.
A round-the-clock security operations center with intrusion detection, anomaly alerting and a published incident-response and disclosure process.
Trust center
Vendor review or security questionnaire? Everything your team needs to assess Pabopay lives here. Reports under NDA are released in minutes, not weeks.
Request our latest SOC 2 Type II report under NDA for a full view of our controls and the auditor's opinion.
Request reportIndependent firms test Pabopay at least twice a year. Download the executive summary of the most recent engagement.
Get summaryA complete, current list of the sub-processors we rely on, what they do and where they operate. Subscribe to change notices.
View listReal-time uptime for every API, dashboard and payout rail, plus a full history of incidents and scheduled maintenance.
Open statusPre-filled CAIQ and SIG answers, plus a turnaround commitment for anything your procurement team needs in its own format.
Request packA coordinated vulnerability-disclosure program and bug bounty. Report an issue securely and hear back from our team fast.
Report an issueReports, questionnaires and a walkthrough of how Pabopay protects every euro you move — we'll get your review unblocked fast.