GigMoPay gigmopay ← Back

Security

Security you
can audit.

We handle real money for real people. Security is not a checkbox — it is the foundation every feature is built on. Here is exactly what we do.

Transport & storage

  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest
  • Zero plaintext secrets in source code or logs
  • Secrets managed via Cloudflare Secrets / Workers environment variables

Identity & KYC

  • Full KYC for every account — government ID + liveness check
  • Identity verification via licensed KYC partners (e.g. Bridge)
  • AML/CFT screening on every transaction
  • FATF-aligned controls throughout the payment stack

Infrastructure

  • Cloudflare Workers — no persistent server, serverless by design
  • Convex backend (SOC 2 Type II certified)
  • Cloudflare WAF + DDoS protection on every edge node
  • No third-party advertising scripts or trackers

Regulatory compliance

  • Licensed banking and payment partners in each country of operation
  • Customer funds held in segregated accounts at licensed institutions
  • Not pooled with company operating funds
  • Regulatory reporting as required by law in each jurisdiction

Access control

  • Multi-factor authentication required for all production access
  • Role-based access — least-privilege principle throughout
  • Access reviews quarterly; access revoked immediately on offboarding
  • All privileged actions logged and auditable

Penetration testing

  • Annual third-party penetration test by an accredited firm
  • Critical findings remediated within 72 hours
  • Responsible disclosure programme — see below
  • Bug bounty available for qualifying reports

Your funds

Your money stays yours.

All customer funds are held in segregated accounts at licensed banking institutions — fully separate from GigMoPay's operating accounts. This means your balance is not at risk if anything were to happen to GigMoPay as a company.

Found a vulnerability?

We operate a responsible disclosure programme. If you discover a security issue, email us at security@gigmopay.com. We acknowledge all reports within 48 hours, and we will never pursue legal action against good-faith researchers.

Please include: affected URL or component, steps to reproduce, potential impact. We will keep you updated as we investigate and resolve the issue.