Security overview
5nPay is engineered so that security and privacy are properties of the architecture, not layers applied after the fact. This page describes our current controls in plain terms. Enterprise customers can request the full Security Questionnaire Response and supporting evidence pack.
Encryption
- TLS 1.2+ enforced end-to-end with HSTS + includeSubDomains.
- Database (Supabase Postgres) uses AES-256 disk encryption; backups encrypted at rest with KMS-managed keys.
- Secrets stored only in Vercel encrypted environment variables — never in the repository or logs.
Identity & access control
- Authentication via Clerk (Google SSO, magic link, email + password). Passwords hashed with bcrypt and never reach 5nPay servers.
- Multi-factor authentication available to all users; required on request for owner accounts on enterprise plans.
- Capability-based role model: Owner, Admin, Driver, Accountant. Enforced server-side and recorded in the audit log.
- SAML SSO and SCIM provisioning available for enterprise customers using Okta, Azure AD, or Google Workspace (contact sales).
- Session security: HttpOnly + Secure + SameSite=Lax cookies; server-side session fingerprinting.
Application security
- Rate limiting on all authenticated and public API endpoints with named policy tiers.
- Webhook signature verification (HMAC-SHA256) with idempotency tables for Stripe and GoCardless.
- On-device OCR for PCN scanning — user document imagery is processed locally in WebAssembly before any field-level data is transmitted, minimising personal data 5nPay ever holds.
- Content Security Policy, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin.
Data protection
- Primary data residency: EU (Frankfurt) via Supabase. See Data Residency section below.
- Multi-tenant isolation enforced by Postgres Row-Level Security and application-level enterprise scoping.
- GDPR export (Article 15) and erasure (Article 17) available self-service to every user.
- Records of Processing Activities maintained for controller and processor roles.
Vulnerability management
- GitHub Dependabot on every repository — critical and high advisories triaged within 24 hours.
- Weekly npm audit + Sentry-based runtime security signal.
- Quarterly secret rotation calendar; immediate rotation on any suspected exposure.
- Pen-testing by an external CREST-accredited firm scheduled for Q1 2027.
Monitoring & incident response
- Sentry error tracking with PII scrubbing; alerts routed to a single on-call rotation.
- Vercel + Supabase platform monitoring feed the same alert channel.
- Incident response runbook exercised twice yearly. ICO-notifiable breaches reported within the 72-hour statutory window under UK GDPR Article 33.
- Public status page at /status with historical incident log.
Backup & disaster recovery
- Automated encrypted daily database backups.
- Point-in-time recovery (Supabase PITR) with a 7-day window.
- Encrypted off-region S3 backup with integrity verification.
- Restore drills run quarterly; documented restore-time objective under 4 hours.
Sub-processors
Personal data processed by 5nPay may be handled by these sub-processors. Material changes are notified to enterprise customers with a 30-day objection window.
| Provider | Purpose | Region | Certifications |
|---|---|---|---|
| Vercel | Web hosting, CDN, serverless compute | EU / US | SOC 2 Type II, ISO 27001 |
| Supabase | Database, storage, auth backend | EU (Frankfurt) | SOC 2 Type II |
| Clerk | User authentication | US (EU option on enterprise) | SOC 2 Type II |
| GoCardless | Direct Debit payment processing | UK / EU | FCA-regulated, ISO 27001 |
| Stripe | Card + BNPL payment processing | UK / EU / US | PCI DSS Level 1, SOC 2 |
| Sentry | Error monitoring | EU | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email | EU / US | SOC 2 in progress |
| AWS | OCR support microservice + backups | EU (Ireland) | SOC 2, ISO 27001, PCI DSS |
Certifications & compliance
UK GDPR / Data Protection Act 2018
WCAG 2.1 Level AA
Cyber Essentials Plus
ISO 27001
SOC 2 Type I
Reporting a vulnerability
Security researchers: please email security@5npay.co.uk with reproduction steps. We acknowledge within one working day and aim to remediate confirmed high-severity issues within 30 days. Coordinated disclosure is welcomed; we do not currently offer a bug bounty but will credit researchers on their request.