Security

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. API keys and secrets are encrypted with platform-level key management.

Authentication & Access Control

Payorth uses phone-based OTP authentication with automatic session timeout (30-minute idle). Admin access requires API key authentication. All sessions are single-origin with cross-tab sync.

Infrastructure

Payorth runs on hardened infrastructure with automated security scanning, dependency auditing, and container scanning on every deployment. Our CI/CD pipeline includes SAST (CodeQL + Semgrep), secrets scanning, and license compliance checks.

Payment Security

Payment processing is handled by PCI DSS Level 1 compliant providers (Stripe and Paystack). Payorth never stores raw card numbers. Webhook signatures are verified using official SDKs.

Data Protection

Account data is isolated per organization. Database access uses parameterized queries (Prisma ORM) to prevent SQL injection. Input validation and output encoding prevent XSS attacks.

Monitoring

We maintain comprehensive audit logging for all sensitive operations including authentication events, invoice actions, payment processing, and admin access. Security events trigger real-time alerts.

Vulnerability Disclosure

If you discover a security vulnerability, please report it to security@payorth.com. We take all reports seriously and will respond within 48 hours.