SECURITY POSTURE
Money software demands infrastructure-grade security.
Defense in depth across application, data, network, and operations layers. Aligned with PCI DSS, ISO 27001 controls, and CIS benchmarks.
PRINCIPLES
Five non-negotiables.
Encryption everywhere
TLS 1.3 in transit; AES-256 at rest. Sensitive fields (PAN, CVV, account numbers) encrypted at field level with rotating keys.
Least privilege
Role-based access with strict separation of duties. No human standing access to production data; all access break-glass and audited.
Audit everything
Every API call, database mutation, and admin action logged with actor, timestamp, and context. Logs immutable and retained per regulatory minimum.
Isolation by design
Production and staging fully isolated. No shared credentials, networks, or data. Tenant data isolated at database row level with policy enforcement.
Continuous testing
Quarterly external penetration tests; continuous internal red team. 1,141 automated tests run on every commit before code reaches production.
TECHNICAL CONTROLS
What we run, in production.
TLS 1.3 + HSTS
All endpoints HTTPS with HSTS preload. Certificate pinning for mobile SDKs.
PAN tokenization
Card numbers replaced with tokens at ingress. Vault separated from operational systems with break-glass access.
Secret management
Secrets in HashiCorp Vault with automatic rotation. No secrets in code, config, or environment variables in production.
WAF + DDoS protection
Cloud WAF with OWASP Top 10 rules. DDoS mitigation at edge with autoscaling fallback.
24/7 SIEM monitoring
All logs aggregated to SIEM. Alerts on anomalies route to on-call engineer; SLA on incident response.
Daily backups + DR
Encrypted daily database backups; geographically replicated. Quarterly DR drills with documented RPO/RTO targets.
RESPONSIBLE DISCLOSURE
Found a vulnerability?
We welcome reports from security researchers. Email security@kaadxpay.com with details. We commit to acknowledging within 1 business day, triaging within 5 business days, and posting credit (with permission) when remediated.
security@kaadxpay.com →Need our security documentation?
Enterprise customers and partners can request our SOC report, penetration test summary, and information security policy under NDA.