Security
Financial transaction data requires a different security baseline.
Settlement files, exception records, and FX variance data are processed under encryption, strict access controls, and audit logging designed for payment operations environments. This page describes how.
Encryption in transit and at rest
All data is encrypted in transit using TLS 1.3. Payment records, settlement files, and reconciliation state are encrypted at rest using AES-256. Encryption keys are managed with rotation policies and stored separately from application data.
Access control and identity
Role-based access control with least-privilege defaults. All user sessions are protected by MFA. API access uses short-lived tokens scoped to specific corridors and operations. Connector credentials are stored in an isolated secret vault, not alongside application data.
Audit logging
Every reconciliation run, exception override, and data export is logged with timestamp, user identity, and action detail. Logs are append-only and retained for 12 months. Enterprise plans include SIEM export via syslog or webhook.
Infrastructure and isolation
Txnworks infrastructure runs on AWS — primary in us-east-1, failover in us-west-2. Each customer's payment data is stored in isolated namespaces with no cross-tenant data access. Database access requires VPN and certificate-based authentication from operations staff. Enterprise deployments support on-premise or private cloud configurations on request.
Vulnerability management
We conduct regular internal vulnerability scans and engage an independent third party for annual penetration testing. Critical findings are tracked to remediation within 30 days. Responsible disclosure requests can be directed to [email protected].
Business continuity
Reconciliation jobs use idempotent design — a failed or retried run produces identical output without duplication. Hourly state snapshots allow point-in-time recovery. RTO is designed for under 4 hours; RPO under 1 hour for Scale and Enterprise customers.
Compliance posture
Txnworks designs its internal controls against the SOC 2 Type II Trust Service Criteria covering security, availability, and confidentiality. We do not claim SOC 2 Type II certification, PCI DSS scope, or ISO 27001 certification at this stage.
What we do provide: TLS 1.3 in transit, AES-256 at rest, MFA-enforced access, append-only audit logs with 12-month retention, and annual third-party penetration testing. Enterprise customers can request controls documentation and a vendor security questionnaire response during scoping.
Contact our security teamSecurity review before you commit?
Our team walks through controls documentation, answers vendor security questionnaires, and maps data residency options to your requirements — before you sign anything.