Encryption
All traffic between guests, operators, and PayLoop services runs over TLS 1.2 or higher. Certificates are issued by public certificate authorities and rotated automatically. Data at rest is encrypted with AES-256 via our cloud provider's managed encryption service. Encryption keys are rotated at least annually and are separated from the data they protect.
Card data — never on PayLoop servers
PayLoop does not store, process, or transmit raw card data. When a guest enters card details into the PayLoop checkout, those details go directly to our PCI-DSS compliant payment processor (Paymob, in the UAE) and are tokenised before returning to the platform. PayLoop only sees an opaque token — never a card number, CVV, expiry, or cardholder name that could rebuild one.
This means that even in the worst-case scenario of a PayLoop data breach, card data is not exposed. The blast radius is limited to operator and guest profile data — still serious, but not the category of breach that triggers mass card reissuance.
PCI-DSS compliance
Our payment processing chain is PCI-DSS Level 1 compliant — the highest tier of the Payment Card Industry Data Security Standard. PayLoop itself operates under the SAQ-A scope, the appropriate compliance category for merchants who have fully outsourced card handling to a compliant processor. We review scope annually.
Authentication and access control
Operator accounts support strong passwords and two-factor authentication (SMS or authenticator app). Every admin action in the operator dashboard is logged with user, IP, and timestamp. Role-based permissions allow you to give shift managers limited access without exposing financial settings.
Internal access to production systems is governed by principle of least privilege. Only named engineers have production access. All production actions are logged and reviewed.
Infrastructure
PayLoop runs on industry-standard cloud infrastructure with data centres in the UAE and EU. Infrastructure is provisioned with infrastructure-as-code and is reproducible from source. Production systems are isolated from staging and development environments.
Backups and availability
Transaction and operator data is continuously replicated across availability zones and backed up nightly. Recovery Point Objective (RPO) is ≤ 5 minutes; Recovery Time Objective (RTO) is ≤ 2 hours. We target 99.9% uptime monthly at the platform API level.
Monitoring and incident response
Production systems are monitored 24/7 with automated alerting on anomalies in availability, error rates, authentication patterns, and settlement flows. Our on-call engineer receives alerts within 60 seconds of a production issue.
In the event of a security incident involving personal data, we will notify affected operators within 72 hours of identification, in line with applicable data protection law. The notification will include what happened, what data was affected, what we are doing, and what we recommend you do.
Penetration testing
We engage independent third-party security firms to conduct penetration testing at least annually. We also run continuous automated vulnerability scans on our infrastructure and application code. Executive summaries of penetration tests are available to enterprise operators under NDA.
Business continuity
We maintain a documented business continuity plan covering infrastructure failure, provider outages, loss of key personnel, and physical office disruption. The plan is reviewed annually and tested via tabletop exercises.
Responsible disclosure
If you've found a security issue, please report it to info@pay-loop.io with the subject "Security disclosure". We commit to acknowledging within one business day, to not pursuing legal action against good-faith researchers following responsible disclosure, and to public credit (if desired) after a fix ships.
Sub-processors
Our current sub-processors (with purpose and location) are listed in the Privacy Policy, section 6. Changes to the sub-processor list will be notified to operators at least 30 days in advance.
Contact
Security questions, audit requests, vendor security questionnaires: info@pay-loop.io.