# Data Certification

Verified and certified data handling for maximum trust and compliance.

## Overview

BANKpay+ maintains rigorous data certification standards to ensure the highest levels of security, privacy, and compliance. Our certifications demonstrate our commitment to protecting your data.

## Certifications

### ISO 27001

**Information Security Management**

- ✅ **Certified**: 2025
- ✅ **Auditor**: TÜV Austria
- ✅ **Valid Until**: 2028
- ✅ **Scope**: Payment processing, data handling

**What it means**:
- Systematic approach to information security
- Risk-based security management
- Continuous improvement
- International recognition

### PCI DSS Level 1

**Payment Card Industry Data Security Standard**

- ✅ **Certified**: 2025
- ✅ **Auditor**: Qualified Security Assessor (QSA)
- ✅ **Valid Until**: Annual renewal
- ✅ **Scope**: Payment data handling

**Requirements met**:
- Secure network architecture
- Cardholder data protection
- Vulnerability management
- Access control measures
- Regular monitoring

### SOC 2 Type II

**Service Organization Control**

- ✅ **Certified**: 2025
- ✅ **Auditor**: Independent CPA firm
- ✅ **Valid Until**: Annual renewal
- ✅ **Trust Principles**: Security, Availability, Confidentiality

**Assurance provided**:
- Controls are suitably designed
- Controls operate effectively
- Over extended period (6+ months)
- Third-party verified

### GDPR Certification

**General Data Protection Regulation**

- ✅ **Compliant**: Since 2018
- ✅ **DPO Appointed**: Yes
- ✅ **Registration**: Austrian DSB
- ✅ **Certification**: Europrivacy™

**Key commitments**:
- Lawful, fair, transparent processing
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality

### PSD2 Compliance

**Payment Services Directive 2**

- ✅ **Licensed**: Payment Institution
- ✅ **Supervisor**: FMA Austria
- ✅ **Registration**: PSD2 Register
- ✅ **Scope**: Payment initiation, account information

**Compliance areas**:
- Strong Customer Authentication (SCA)
- Secure communication
- Data protection
- Incident reporting
- Capital requirements

## Technical Certifications

### Encryption Standards

| Standard | Implementation | Certification |
|----------|----------------|---------------|
| **TLS 1.3** | All communications | IETF RFC 8446 |
| **AES-256** | Data at rest | FIPS 197 |
| **RSA-4096** | Key exchange | NIST SP 800-56B |
| **SHA-256** | Hashing | FIPS 180-4 |

### Infrastructure Certifications

**Data Centers**:
- ✅ ISO 27001 certified facilities
- ✅ SOC 2 Type II audited
- ✅ Tier III+ uptime guarantee
- ✅ Geographic redundancy

**Cloud Providers**:
- ✅ AWS Certified
- ✅ Google Cloud Certified
- ✅ Azure Certified

### Development Certifications

**Secure Development Lifecycle**:
- ✅ OWASP compliance
- ✅ Security code review
- ✅ Penetration testing
- ✅ Bug bounty program

## Audit Reports

### Regular Audits

| Audit Type | Frequency | Last Audit | Next Audit |
|------------|-----------|------------|------------|
| **ISO 27001** | Annual | Jan 2026 | Jan 2027 |
| **PCI DSS** | Annual | Mar 2025 | Mar 2026 |
| **SOC 2** | Annual | Jun 2025 | Jun 2026 |
| **Penetration Test** | Quarterly | Dec 2025 | Mar 2026 |
| **Vulnerability Scan** | Monthly | Feb 2026 | Mar 2026 |

### Audit Scope

**Technical Controls**:
- Network security
- Access controls
- Encryption
- Logging and monitoring
- Incident response

**Organizational Controls**:
- Policies and procedures
- Training and awareness
- Vendor management
- Risk management
- Business continuity

### Audit Results

All recent audits passed with:
- **Zero critical findings**
- **Zero high-risk findings**
- **Minor observations**: Addressed within SLA

## Compliance Framework

### Data Protection

**Privacy by Design**:
- Data minimization
- Purpose limitation
- Storage limitation
- Accuracy
- Confidentiality

**User Rights**:
- Right to access
- Right to rectification
- Right to erasure
- Right to portability
- Right to object

### Security Measures

**Technical**:
- End-to-end encryption
- Multi-factor authentication
- Intrusion detection
- Security monitoring
- Regular updates

**Organizational**:
- Security policies
- Staff training
- Access reviews
- Incident response
- Vendor assessments

### Business Continuity

**Disaster Recovery**:
- RTO: 4 hours
- RPO: 15 minutes
- Geographic redundancy
- Regular testing
- Documented procedures

**High Availability**:
- 99.99% uptime SLA
- Load balancing
- Auto-scaling
- Failover systems
- 24/7 monitoring

## Verification

### Verify Certifications

**ISO 27001**:
- Certificate Number: ISO-27001-2025-AT-001
- Verify at: [TÜV Austria Certificate Search](https://www.tuv-austria.com/certificates)

**PCI DSS**:
- Attestation of Compliance (AOC) available
- Provide under NDA to enterprise customers

**SOC 2**:
- Report available under NDA
- Request from: compliance@bankpay.plus

### Compliance Documentation

Available on request:
- Security whitepaper
- Compliance matrix
- Data processing agreement
- Subprocessor list
- Incident response plan

## Transparency

### Security Reports

**Annual Security Report**:
- Incident statistics
- Security improvements
- Compliance updates
- Future roadmap

[Download 2025 Report](/reports/security-report-2025.pdf)

### Subprocessors

We maintain a current list of all subprocessors:

| Subprocessor | Service | Location |
|--------------|---------|----------|
| **AWS** | Cloud hosting | EU (Frankfurt) |
| **Google** | Email services | EU |
| **Stripe** | Card processing | IE |
| **SendGrid** | Transactional email | US (SCC) |

[View Full List](/subprocessors)

### Incident Disclosure

**Commitment**:
- Notify within 72 hours of awareness
- Clear, transparent communication
- Remediation steps provided
- Regular updates until resolution

**Past Incidents**:
- No major security incidents in past 24 months
- Minor incidents documented in security report

## Continuous Improvement

### Security Investments

**2025 Investments**:
- €2M in security infrastructure
- 25% of engineering budget
- Dedicated security team (15 FTE)
- External security consultants

**2026 Plans**:
- ISO 27701 (Privacy Information Management)
- SOC 3 Report (Public)
- Enhanced bug bounty program
- AI-powered threat detection

### Training & Awareness

**Staff Requirements**:
- Annual security training
- Role-based training
- Phishing simulations
- Security certification support

**Metrics**:
- 100% training completion
- < 5% phishing click rate
- Regular knowledge assessments

## Customer Assurance

### Enterprise Features

**Enhanced Security**:
- Dedicated infrastructure option
- Custom encryption keys
- Advanced audit logging
- Custom compliance reports

**Support**:
- Dedicated security contact
- Priority incident response
- Regular security reviews
- Custom DPA terms

### SLA Guarantees

**Security SLA**:
- 99.99% uptime
- < 1 hour incident response
- < 4 hour resolution (critical)
- Regular security updates

**Compliance SLA**:
- Maintain all certifications
- Annual audit reports
- Compliance notifications
- Regulatory updates

## FAQ

### How do I verify your certifications?

Contact compliance@bankpay.plus for verification documents. ISO and PCI certificates are publicly verifiable.

### Can I get a copy of your SOC 2 report?

Yes, SOC 2 reports are available under NDA for enterprise customers and prospects.

### How often are you audited?

ISO 27001 and SOC 2 are audited annually. PCI DSS requires annual assessment. Penetration tests are quarterly.

### What happens if you lose a certification?

This would trigger immediate remediation. We maintain continuous compliance monitoring to prevent this.

### Do you share audit results?

Summary results are in our annual security report. Detailed results available under NDA.

### How do I report a security concern?

Email security@bankpay.plus or use our bug bounty program at hackerone.com/bankpay.

## Resources

### Documentation

- [Security Whitepaper](/docs/security-whitepaper.pdf)
- [Compliance Overview](/docs/compliance-overview.pdf)
- [Data Processing Agreement](/docs/dpa.pdf)
- [Incident Response Plan](/docs/incident-response.pdf)

### Contact

- **Security**: security@bankpay.plus
- **Compliance**: compliance@bankpay.plus
- **Privacy**: privacy@bankpay.plus
- **DPO**: dpo@bankpay.plus

---

**Last updated**: February 28, 2026

**Certifications valid as of**: January 2026