Security at Payhawk

At Payhawk, we are committed to protecting the confidentiality, integrity, and
data availability of our information systems and our customers’ data. We are
constantly improving our security controls and analyzing their effectiveness
to give you confidence in our solution.

Here we provide an overview of some of the security controls in place to
protect your data.

You can reach our security team at

Data Center Physical Security


Payhawk uses Amazon AWS for infrastructure and Google Cloud Platform GCP for
data center hosting. Both service providers are certified as ISO 27001, PCI
DSS Service Provider Level 1, and or SOC 1 and 2 compliant.
Learn more about Compliance at AWS
Compliance at GCP
Our cloud service providers employ robust controls to secure the availability
and security of their systems. This includes measures such as backup power,
fire detection and suppression equipment, secure device destruction amongst
Learn more about Data Center Controls at AWS
Data Center Controls at Google

On-Site Security

Our cloud service providers implement layered physical security controls to
ensure on-site security including vetted security guards, fencing, video
monitoring, intrusion detection technology, and more.
Learn more about AWS Physical Security
GCP Physical Security.

Network Security

In-house Security Team

Payhawk has a dedicated and passionate security and operations team to respond
to security alerts and events. Security is everyone’s job and part of our

Third-Party Penetration Tests

Third-party penetration tests are conducted against the application and
supporting infrastructure at least annually. Any findings as a result of tests
are tracked to remediation. Reports are available on request with an
appropriate NDA in place.

Threat Detection

Payhawk leverages threat detection services within AWS to continuously monitor
for malicious and unauthorized activity.

Vulnerability Scanning

We perform regular internal scans for vulnerability scanning of infrastructure
and applications. Where issues are identified these are tracked until

DoS Mitigation

Payhawk uses a number of DDoS protection strategies and tools layered to
mitigate DDoS threats. We utilize AWS Shield’s sophisticated CDN with built-in
DDoS protection as well as native AWS tools and application-specific
mitigation techniques.

Access Control

Access is limited by following the least privilege model required for our
staff to carry out their jobs. This is subject to frequent internal audits and
technical enforcement and monitoring to ensure compliance. 2FA is required for
all production systems.


In Transit

Communication with Payhawk is encrypted with TLS 1.2 or higher over public
networks. We monitor community testing & research in this area and
continue to adopt best practices in terms of cipher adoption and TLS

At Rest

Payhawk data is encrypted at rest with industry-standard AES-256 encryption.
By default, we encrypt at the asset or object level.

Availability & Continuity


Payhawk is deployed on public cloud infrastructure. Services are deployed to
multiple availability zones for availability and are configured to scale
dynamically in response to measured and expected load. Simulated load tests
and API response time tests are incorporated into our release and testing

Disaster Recovery

In the event of a major region outage, Payhawk has the ability to deploy our
application to a new hosting region. Our Disaster Recovery plan ensures the
availability of services and ease of recovery in the event of such a disaster.
This plan is regularly tested and reviewed for areas of improvement or

DR deployment is managed by the same configuration management and release
processes as our production environment ensuring that all security
configurations and controls are applied appropriately.

Application Security

Quality Assurance

Payhawk’s Quality Assurance process reviews and tests the codebase. The
security team has resources to investigate and recommend remediation of
security vulnerabilities within code. Regular syncs, training, and security
resources are provided to the QA team.

Environment Segregation

Testing, staging, and production environments are separated from one another.
No customer data is used in any non-production environment.

Security Champions

Payhawk runs a Security Champions program with involvement and contributions
from each of the development teams.

Personal Security

Security Awareness

Payhawk has a robust Security Awareness Training program which is delivered
within 30 days of new hires and annually for all employees. In addition, we
roll out quarterly focused training to key departments including Secure
Coding, Data Legislation, and Compliance obligations.

Information Security Program

Payhawk has a comprehensive set of information security policies covering a
range of topics. These are disseminated to all employees and contractors and
acknowledgment tracked on key policies such as Acceptable Use and Information
Security Policy.

Access Controls

Access to systems and network devices is based upon a documented, approved
request process. Logical access to platform servers and management systems
requires two-factor authentication. Periodic verification is performed to
determine that the owner of a user ID is still employed and assigned to the
appropriate role. Access is further restricted by system permissions using a
least privilege methodology and all permissions require a documented business
need. Exceptions identified during the verification process are remediated.
Business need revalidation is performed on a quarterly basis to determine that
access is commensurate with the user’s job function. Exceptions identified
during the revalidation process are remediated. User access is revoked upon
termination of employment or change of job role.

Data Privacy

Privacy Policy

Payhawk’s privacy policy, which describes how we handle data input into
Payhawk, can be found at our privacy page.
For privacy questions or concerns, please contact our Data Protection Officer
(DPO) at

Third-Party Security

Vendor Management

Payhawk understands the risks associated with improper vendor management. We
evaluate and are subject to a supplier onboarding process and steps on all of
our vendors prior to engagement to ensure their security is to a suitable
standard. If they do not meet our requirements, we do not move forward with
them. Selected vendors are then monitored and reassessed on an ongoing basis,
taking into account relevant changes.

Responsible Disclosure

At Payhawk, we consider the security of our systems a top priority and Payhawk
believes that working with a skilled security research community helps improve
our security posture. Our disclosure policy can be located at
Payhawk Security Disclosure

Domains and 3rd party notifications

For the purpose of operations, marketing and sales we may use the following
3rd party providers to send you a notification on our behalf: TrustPilot,
MailJet, Amazon SES, SendGrid, Chargebee, Livestorm, SalesLoft.

Additionally you might receive notifications from any of the following domains
that we own:,,,,,,,,,,,,
Communication from other similar domains should be considered as phishing and
reported to