Security

Security is foundational to RescuePay. We handle sensitive payment metadata and customer communications on behalf of our clients, and we take that responsibility seriously. This page describes the controls we have in place to protect your data.

RescuePay runs on Amazon Web Services (AWS) in the eu-west-1 (Ireland) region. Our infrastructure is designed for high availability and fault tolerance:

• All services run inside a private VPC with strict ingress/egress rules.
• Data is replicated across multiple Availability Zones.
• We use managed services (RDS, ElastiCache, SQS) to minimise our operational attack surface.
• Infrastructure is defined as code (Terraform) and all changes go through a peer-reviewed deployment pipeline.

• Data in transit: all traffic is encrypted with TLS 1.2 or higher. We enforce HTTPS across all endpoints.
• Data at rest: all databases and object storage buckets are encrypted using AES-256.
• Secrets management: API keys and credentials are stored in AWS Secrets Manager, never in code or environment variable files.

RescuePay does not store raw card numbers, CVVs, or full PANs. We work exclusively with tokenised payment references provided by Stripe. Our integration is reviewed against Stripe's partner security guidelines. We are PCI-DSS SAQ-A compliant.

• All production access requires multi-factor authentication (MFA).
• We follow the principle of least privilege — engineers only have access to the systems necessary for their role.
• SSH access to production servers is prohibited; all deployments go through our CI/CD pipeline.
• Access logs are retained for 12 months and reviewed quarterly.

• All code changes go through peer review before merging.
• We run automated static analysis (SAST) and dependency vulnerability scanning on every pull request.
• We conduct penetration testing at least once per year with an independent third party.
• Our API is protected against common OWASP Top 10 vulnerabilities including injection, broken authentication, and CSRF.

We monitor our systems 24/7 for anomalous activity:

• Real-time alerting on error rates, latency, and suspicious access patterns.
• Security events are centralised in a SIEM and reviewed by our on-call team.
• We have a documented incident response plan with defined escalation paths.
• In the event of a data breach, affected customers will be notified within 72 hours, in compliance with GDPR Article 33.

• All employees undergo background checks before joining.
• Security awareness training is mandatory at onboarding and annually thereafter.
• Personal devices used for work must be enrolled in our MDM solution with full-disk encryption enabled.

If you discover a security vulnerability in RescuePay, please report it to us responsibly:

• Email: security@rescuepay.io
• Please include a clear description of the vulnerability and steps to reproduce.
• We will acknowledge your report within 48 hours and aim to resolve confirmed issues within 30 days.
• We will not take legal action against researchers who act in good faith.

For any security-related questions beyond what is covered here, contact us at security@rescuepay.io.