Security at PaidGuard
We're handling your payment infrastructure. That demands a higher security bar than most SaaS. Here's how we meet it.
Defenses in place
OAuth, not API keys
You never paste a raw API key into PaidGuard. Stripe OAuth flow with explicit scope grants. Tokens stored encrypted at rest.
Read-only access by default
We request read-only scopes. PaidGuard cannot charge, refund, modify subscriptions, or delete customers from your Stripe account. You can verify this in your Stripe Connected Apps dashboard anytime.
Encryption in transit and at rest
All data encrypted in transit (TLS 1.2+). Database encrypted at rest (AES-256). Backups encrypted. Database hosted on Neon (SOC2 Type II).
No card data stored
PaidGuard never sees or stores customer card numbers, CVVs, or expiry dates. Stripe handles all PCI-DSS compliance. We only see the last 4 digits and brand (e.g., 'Visa ending in 4242').
Revoke access anytime
Disconnect from your PaidGuard dashboard, your Stripe dashboard, or both. Token revocation is instant.
GDPR & CCPA compliant
Data export, deletion, and audit logs available on request. Privacy policy is public. EU data residency available on Performance plan.
Certifications & posture
Report a vulnerability
Found a security issue? Please email security@paidguard.io instead of posting publicly.
We respond to all reports within 48 hours. Severity-1 issues are addressed within 7 days. We're happy to work with researchers on coordinated disclosure and offer recognition for valid reports.