Security policy.

At PayLead, we are acutely aware of the importance of your data. We are constantly striving to develop the best security systems possible.

Our whole team shares the conviction that transparency is essential for building relationships of trust, and that’s why it is so important for us that you should understand the care we take to protect your data.

We therefore invite you to read this charter carefully and take note of our commitment to security and protection.

In addition, we are well aware that reading these documents can often be lengthy and tedious. This is why we have written a short and simple text highlighting the information you need to know.

Our communication on security matters is designed to be completely transparent and we strive to make it accessible and understandable by all.

Protecting your data

In order to ensure the protection of your data, we use various protection systems, including:

  • Private and isolated networks for our back-end infrastructure

    We only disclose the bare minimum on the internet: our API connectors. All the services on which the API is based are isolated from the rest of the world and cannot be directly accessed via the internet. This considerably reduces and limits the attack surface.

  • Using firewalls on all our servers

    In order to ensure optimal protection levels, each server restricts access to its services. We have implemented port restrictions and also a whitelist system based on IP addresses or sets of machines (i.e. security groups) for filtering. This specific feature is also implemented on our isolated networks in order to avoid any risk of lateral spread in the event a server is compromised.

    Furthermore, where environments allow us to do so, we add intermediate filtering equipment between all servers in compliance with the defence-in-depth principle.

  • Constant monitoring of our machines’ status

    The usage status of our machines and services is monitored so that we are able to immediately detect any suspicious activity and act accordingly.

  • A strict “Zero trust network” policy

    We work on the assumption that the network layer must not be considered safe whatever its location.

    Therefore, our premises’ network is not exempt from rules on firewalls. Only a sub-set of machines can be used as “rebound machinery” so that we are authorized to run our servers. These machines are also monitored.

    Communication security also involves the methods we use to communicate with our machines; by default we only use and allow communications which use secure connections via TLS v1.2. In addition, we have configured our servers so that they only use recent, robust and secure encryption systems (AES-256).

  • Audits and easy access to data if need be

    We have configured our services so that their activity logs are fed into in a “well-log” database. This equipment is in charge of collecting all our machine logs and ensuring that, in the event of an incident, the most important elements will be available and quickly accessible.

    Access to production data is restricted to a limited number of identified people, after endorsement by security teams and examining the reason for this access.

    All access to data and to servers containing data is de facto logged and stored.

  • Staff training is our priority

    Because the weak spot in security will always be the human factor, we provide training on security risks for each new arrival. The training programme presents basic risks as well as the proper course of action when malicious activity is suspected.

Continuous protection

To ensure the continuous protection of our infrastructures, we use surveillance systems which can generate real-time alerts in order to warn our teams as quickly as possible.

Furthermore, we submit our APIs and servers once or twice a year to reliable security auditors in order to guarantee that potential vulnerabilities are detected and checked as quickly as possible.

We have also implemented a “bug bounty” system enabling all independent security researchers to test our infrastructures within the limits defined at the end of/under the terms of the contract with HackerOne.

Do you want to help us? Do you have a bug to report? Go to the following webpage and you could win a reward!

If you would like to report a potential weakness without using our bug bounty platform, you can contact us at the following address: security@paylead.fr

Certifications

Certification work is being done, we will soon be able to proudly display a new pictogram here, stay tuned!

PayLead has undertaken a long process in order to obtain an ISO 27001 certificate. Approval by independent auditors is projected for 2020.

Still have questions? Let’s talk!

For any questions related to safeguarding your data or our infrastructure, you can contact us at the following address: security@paylead.fr. We are here to listen and will be delighted to help you.