Security & Trust

Your payment data, protected.

We take the security of your payment data seriously. Here's how we keep it safe.

Read-Only Access

We connect to your payment processors via official APIs with read-only permissions. We cannot modify your accounts, process payments, issue refunds, or access card numbers. You can revoke access at any time from your processor dashboard.

Infrastructure Security

Hosted on Vercel (SOC 2 compliant infrastructure)
Database on Supabase (SOC 2 Type II certified, PostgreSQL)
All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
Automatic backups with point-in-time recovery

Data Isolation

Row-level security (RLS) enforced at the database level — each merchant can only access their own data
Admin operations (webhook processing, scheduled jobs) use isolated service accounts with scoped permissions
No shared data between merchant accounts, ever

Authentication

Secure authentication via Supabase Auth
Passwords are never stored in plaintext — bcrypt hashed with salt
Session tokens expire automatically
Rate limiting on authentication endpoints

PCI Compliance

We never store, process, or transmit cardholder data. All payment data flows through Stripe, which is PCI DSS Level 1 certified — the highest level of compliance. Your customers' card data never touches our servers.

Compliance Roadmap

We are actively pursuing SOC 2 Type II certification to provide independently audited assurance of our security controls. Our infrastructure providers (Vercel, Supabase) already maintain SOC 2 compliance.

Responsible Disclosure

Found a security issue? We appreciate responsible disclosure. Contact us and we'll respond within 48 hours.

[email protected] →

Ready to see Cellix AI in action?

Book a demo and see how we monitor your payments across all processors in real time.

Book a Demo → View pricing