Payhawk Trust Portal

Mihail Yanev dpo@payhawk.com

Todor Iliev security@payhawk.com

All data stored at Payhawk is encrypted at rest and in transit with a maximum of TLS v1.2

Yes, including the requirement for multi-factor authentication (MFA).

Yes we do, read more about our SSO and SAML features here - https://payhawk.com/integration/sso-and-saml

Payhawk documentation is public at help.payhawk.com

Information about disruption and failures will be send via email, system status can be checked here status.payhawk.com

We have an education platform on which all new and current employees complete training. It covers various aspects of information security and best practices. We also run regular internal phishing campaigns to raise awareness and have a dedicated communication channel for all employees to discuss any infosec-related topics.

We have a policy which outlines the steps to be taken in the event of a security incident, The steps vary depending on the severity of the incident.

We ensure physical security through access control, CCTV surveillance, a robust disaster recovery policy, and regular reviews of our security measures. All customer and cardholder data is secured in the cloud, encrypted in transit and at rest and is subject to strict security measures.

We deploy firewalls to establish a strong defence perimeter. We enforce strict access controls and robust authentication mechanisms to ensure that only authorised individuals can access our network resources. This includes the use of strong passwords, multi-factor authentication (MFA), and secure VPN connections for remote access. We employ strong encryption protocols to protect data in transit and at rest. We employ advanced monitoring tools to continuously monitor network traffic, log events, and detect any abnormal activities. We conduct regular security audits and penetration testing exercises to identify vulnerabilities and potential entry points for attacks.

We enforce strong authentication requirements on all systems. Access is provided on a need-to-know basis, with enforced strong password policies and multi-factor authentication. We monitor all of our internal access regularly and perform reviews of all permissions and justifications. we’ve defined access control policies for different systems including ones that control cardholder data.

Our VP of Information Security and Data Protection Office (DPO)

None

SOC 1 & 2, PCI DSS, ISO 27001, CSA

Yes

Quarterly internal audits

Yes - PCI DSS yearly audit

Ongoing training/awareness and communication.

Yes - we have an external education platform dedicated to security training.

Security Policies and Guidelines, Online Learning Platform, Internal Communications, Security Awareness Campaigns, Incident Reporting Channels, Collaboration and Discussion Platforms.

RFID card access, CCTV, and Access control policy requirements.

Our internal network equipment is all in dedicated server rooms that require elevated access for entry, a logging system for all entries into the server room, and CCTV surveilling both the interior and exterior of the server room.

We utilise network monitoring tools to analyse network traffic, detect anomalies, and identify potential security threats. We deploy IDPS solutions that actively monitor our network for signs of unauthorized access or malicious activities. We conduct regular vulnerability assessments and penetration testing to identify weaknesses in our network infrastructure and applications. Access control and authentication, Encryption.

All customer and cardholder data is stored in the cloud, we ensure that appropriate encryption mechanisms are employed to protect the data at rest and in transit. Additionally, robust access controls are implemented within the cloud environment, ensuring that only authorised individuals or services have access to the sensitive data. Internally, we use VLANs to logically separate our network into different segments. Firewall rules to prevent access from unauthorised endpoints and access control policies.

Yes, including the requirement for multi-factor authentication (MFA).

Payhawk uses an official mobile application, there are no security-endangering programs or plugins.

German customer data is stored in Frankfurt, Germany. All other customer data is stored in Belgium, Brussels.

No

Yes, all sensitive data is encrypted in transit and at rest using AES 256 encryption.

Yes - we have several processes and policies to ensure compliance, including but not limited to:

• Privacy Policies and Notices
• Data Inventory and Classification
• Security and Access Controls
• Vendor Management
• Employee Training and Awareness
• Compliance Monitoring and Auditing.

Yes, everyone at Payhawk is obligated to comply with EU data protection standards, coming from Regulation (EU) 2016/679, Directive (EU) 2002/58, etc.

Yes

We have implemented data protection & information security training software platform, which includes different modules and exams. The program is mandatory for every employee during their onboarding at Payhawk. Once the employee has been onboarded, periodically, once every 3 months, new modules, relative to the employee's function (Sales, Compliance, Development, etc.)

Yes, each new functionality, service, and processing activity goes through initial assessment and discussion with our DPO to ensure that privacy by design and default is implemented at the very start of the project.

Where we have indicated a processing, which poses high-risk for the rights and freedoms of our users, we have carried out a DPIA to assess an mitigate the risks of the processing.

Yes, we have in place both an Incident Response Policy (for non-personal data) and a Data Breach Policy (for personal data), which both govern the process of detection, management and communication of security breaches.

Yes, this process is governed by our Data Subject Rights Procedure. Contact person for the execution of data subject rights under the GDPR is our DPO at dpo@payhawk.com

Yes, we have in place Records of processing activities (ROPA) both in our capacity as controller (Art. 30, par. 1) and processor (Art. 30, par. 2). Both ROPAs reviewed and updated at least once every quarter

Indicate destination countries, data importers, and guarantees foreseen for each of the transfers. Yes, for each transfer of personal data outside the EEA, we have identified an applicable transfer mechanism (incl. the new EU SCCs) and carried out a transfer impact assessment (TIA), within the meaning of Recommendations 01/2020 of the EDPB on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Personal data at Payhawk is processed in the EEA, UK, and USA.

Yes, our suppliers with access to personal data are subject to appropriate due diligence and an execution of a DPA.

Access to sensitive data is strictly controlled and limited only to employees with a clear business justification. We have a centralised distribution policy where only certain roles within our IT department can grant or revoke access rights to systems and sensitive data. Our policies stipulate that an access assessment is conducted every quarter in conjunction with our Information Security and Compliance departments. This ensures that only the right individuals have access according to their job descriptions and that there is no misuse, privilege escalation, or abnormal access to sensitive data.

Yes, we have an access review policy and carry out access review audits to ensure access is properly managed.

Access is granted on a need-to-know basis. All employee access is reviewed regularly by the security team and audited. Access is only granted once a ticket has been requested and manager approval had been granted for the specific department.

Payhawk has a dedicated information security team that monitors our environment 24/7.

Yes, we utilize Security information and event management (SIEM) to analyse logs from multiple systems for anomalies, potential intrusions and other security events.

We follow the internal incident response process and use direct communication channels internally and externally to ensure a timely response. Regularly we perform internal security game day exercises to ensure the adequateness of our process.

Yes, we have backups of all critical system configs and data.

Yes, we use the cloud ability for high-availability and redundancy. We utilize comprehensive monitoring and scalability to meet demand and ensure availability.

As Payhawk uses cloud services, backup is performed regularly using the cloud-native database backup services for quick restoration.

Yes, we have a comprehensive policy, which is being reviewed quarterly by the Information Security Officer and Compliance Function.

Usually, within the last six months, reach out to us for further details.

Shared responsibility between the Compliance, Information Security, and Legal teams.

Security Awareness Training as part of their onboarding, regular (monthly) security training, and quarterly business continuity test, including tabletop exercises or functional tests on non-production environments.

Yes - we have an incident response policy based on NIST 800-62 which includes all guidance and provisions for the reporting/response of incidents.

For minor security incidents, a summary report can be sent to all Incident Response Team Members after the investigation and/or mitigation is complete. For major security incidents, all Incident Response Team Members should be notified immediately. In the case of a major security incident, a summary report for the incident must be presented to management as soon as possible.
- Minor
- Denial of Service attacks that do not have a significant impact on the performance of the critical systems.
- Unsuccessful intrusion attempts (port scans, web crawlers, CSS/XSS exploit attempts etc.)
- Other reported or discovered issues that do not have any significant impact on the infrastructure or do not pose a major security threat.
- Major
- Denial of Service attacks that significantly impact the performance of the infrastructure.
- Successful unauthorised logins.
- Reported and verified data breach.
- Disclosure of personal or confidential information.
- Evidence of data or hardware tampering.
- Other reported or discovered issues that may or do have a significant impact on the infrastructure or pose a major security threat.

Externally we would use status.payhawk.com and email notifications, while internally we use collaborative instant messaging and ticketing systems to track the events.

Public Cloud - Amazon Web Services (AWS) and Google Cloud Platform (GCP)

Frankfurt & Belgium - All EU and US customer data is stored in Belgium. For all German customers, data is stored in Frankfurt. Payhawk infrastructure supports changing the data storage region on demand