Security at PaidGuard

We're handling your payment infrastructure. That demands a higher security bar than most SaaS. Here's how we meet it.

Defenses in place

OAuth, not API keys

You never paste a raw API key into PaidGuard. Stripe OAuth flow with explicit scope grants. Tokens stored encrypted at rest.

Read-only access by default

We request read-only scopes. PaidGuard cannot charge, refund, modify subscriptions, or delete customers from your Stripe account. You can verify this in your Stripe Connected Apps dashboard anytime.

Encryption in transit and at rest

All data encrypted in transit (TLS 1.2+). Database encrypted at rest (AES-256). Backups encrypted. Database hosted on Neon (SOC2 Type II).

No card data stored

PaidGuard never sees or stores customer card numbers, CVVs, or expiry dates. Stripe handles all PCI-DSS compliance. We only see the last 4 digits and brand (e.g., 'Visa ending in 4242').

Revoke access anytime

Disconnect from your PaidGuard dashboard, your Stripe dashboard, or both. Token revocation is instant.

GDPR & CCPA compliant

Data export, deletion, and audit logs available on request. Privacy policy is public. EU data residency available on Performance plan.

Certifications & posture

TLS 1.2+ in transitActive
AES-256 at rest (database)Active
Stripe PCI-DSS Level 1 (inherited via OAuth)Active
SOC2 Type IIIn progress (Q3 2026)
GDPR / CCPA compliance programActive
99.9% uptime SLA on Performance planLive at /status

Report a vulnerability

Found a security issue? Please email security@paidguard.io instead of posting publicly.

We respond to all reports within 48 hours. Severity-1 issues are addressed within 7 days. We're happy to work with researchers on coordinated disclosure and offer recognition for valid reports.

Connect Stripe securely →