- PCI DSS Level 1
- Vault, switch and tokenisation are PCI DSS Level 1 service-provider components; sub-merchants inherit the posture across every acceptance channel.
- ISO-aligned controls
- Information-security controls aligned with ISO 27001 control families; agency-side InfoSec questionnaires answered with reference to the platform's control catalogue.
- Audit-grade event log
- Per-authorisation log preserved for audit, SOC / ISAE attestation evidence, and freedom-of-information request fulfilment.
- Bank-rail mandate posture
- SEPA Direct Debit and ACH mandates captured and retained per scheme rules; mandate IDs travel with each recurring tariff.
- Data residency & DPA
- Standard data-processing agreement plus jurisdictional addenda; data-residency commitments per the connected provider's hosting region where applicable.
- Public-sector scope
- Public-sector-adjacent merchants supported across EU, UK, APAC and LATAM. US federal procurement, sovereign Treasury rails and HIPAA-covered clinical workflows are NOT in scope; specialised providers are the right fit for those.