Security policy.
At PayLead, we are acutely aware of the importance of your data. We are constantly striving to develop the best security systems possible.
Our whole team shares the conviction that transparency is essential for building relationships of trust, and that’s why it is so important for us that you should understand the care we take to protect your data.
We therefore invite you to read this charter carefully and take note of our commitment to security and protection.
In addition, we are well aware that reading these documents can often be lengthy and tedious. This is why we have written a short and simple text highlighting the information you need to know.
Our communication on security matters is designed to be completely transparent and we strive to make it accessible and understandable by all.
Protecting your data
In order to ensure the protection of your data, we use various protection systems, including:
Private and isolated networks for our back-end infrastructure
We only disclose the bare minimum on the internet: our API connectors. All the services on which the API is based are isolated from the rest of the world and cannot be directly accessed via the internet. This considerably reduces and limits the attack surface.
Using firewalls on all our servers
In order to ensure optimal protection levels, each server restricts access to its services. We have implemented port restrictions and also a whitelist system based on IP addresses or sets of machines (i.e. security groups) for filtering. This specific feature is also implemented on our isolated networks in order to avoid any risk of lateral spread in the event a server is compromised.
Furthermore, where environments allow us to do so, we add intermediate filtering equipment between all servers in compliance with the defence-in-depth principle.
Constant monitoring of our machines’ status
The usage status of our machines and services is monitored so that we are able to immediately detect any suspicious activity and act accordingly.
A strict “Zero trust network” policy
We work on the assumption that the network layer must not be considered safe whatever its location.
Therefore, our premises’ network is not exempt from rules on firewalls. Only a sub-set of machines can be used as “rebound machinery” so that we are authorized to run our servers. These machines are also monitored.
Communication security also involves the methods we use to communicate with our machines; by default we only use and allow communications which use secure connections. In addition, we have configured our servers so that they only use recent, robust and secure encryption systems.
Audits and easy access to data if need be
We have configured our services so that their activity logs are fed into in a “well-log” database. This equipment is in charge of collecting all our machine logs and ensuring that, in the event of an incident, the most important elements will be available and quickly accessible.
Access to production data is restricted to a limited number of identified people, after endorsement by security teams and examining the reason for this access.
All access to data and to servers containing data is de facto logged and stored.
Regular staff training
Because the weak spot in security will always be the human factor, we provide training on security risks for each newcomer and on annual basis. The training program covers both security basics and secure coding training for the Engineering department.
Continuous protection
To ensure the continuous protection of our infrastructures, we use surveillance systems which can generate real-time alerts in order to warn our teams as quickly as possible.
Furthermore, we submit our APIs and servers at least a year to reliable security auditors in order to guarantee that potential vulnerabilities are detected and checked as quickly as possible.
Report a vulnerability
At Paylead, we are eager to protect our customers data and ensure the security of our services at all times.
We are deeply grateful to researchers and our community who report issues so that we can coordinate a fix and responsible disclosure. All reports are thoroughly investigated internally.
If you would like to report a potential weakness, you can contact us at the following address: vulnerabilities@paylead.fr
You may encrypt your report to this list using the GPG key of Security team.
Encryption using GPG is NOT required to make a disclosure.
You should use this mailing-list if:
- You think you discovered a potential security vulnerability in Paylead's APIs or services
- You are unsure how a vulnerability affects Paylead's APIs or services
- You think you discovered a vulnerability in another project that Paylead may depends on
Still have questions?
For any questions related to safeguarding your data or our infrastructure, you can contact us at the following address: ciso@paylead.fr. We are here to listen and will be delighted to help you.