At Payt, safety is our top priority. That is why we pay attention to the protection of privacy-sensitive data in a continuous process. For example, we regularly have external penetration tests performed and we implement the resulting recommendations directly in our software. We are also proud of our ISO 27001 certificate: the proof that Payt takes security very seriously and controls the security process well.
ISO 27001 certificate
ISO 27001 is the international standard for Information Security Management System (ISMS). This standard specifies requirements for establishing, implementing, executing, checking, assessing, maintaining and improving an Information Security Management System (ISMS), in this case our own Payt platform.
The audit was carried out by Lloyd’s Register. The Lloyd’s specialists have tested and checked Payt for a list of information security requirements and standards. As a result of these tests, they concluded that Payt’s security policy is in good order.
Despite the great attention paid to the security of our customers’ data, it is possible that burglaries may occur. We are positive about the concept of ethical hacking and appreciate it if - in a responsible manner - a report is made of vulnerabilities in our software.
If you find a weak spot in one of our systems, we would like to hear from you. This enables us to take measures as quickly as possible. We would like to work with you to better protect our customers and our systems.
We kindly ask you:
- to email your findings to firstname.lastname@example.org,
- not to misuse the problem by, for example, downloading more data than is necessary to demonstrate the leak. We also ask you not to view, delete or modify third-party data;
- not to share the problem with others until it has been resolved and to delete all confidential data obtained through the leak immediately after confirming the report;
- not to use attacks on physical security, social engineering, (distributed) denial of service, spam or third-party applications;
- provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but with more complex vulnerabilities we may ask you for more information.
** What we promise: **
- We treat your report with the highest priority and respond to your report within three days. In this response you can expect an assessment of the report and an expected date for a solution from us.
- If you comply with the above conditions, we will not take legal action against you regarding the report.
- We treat your report confidentially and do not share your personal information with third parties without your permission, unless this is necessary to comply with a legal obligation.
- We will keep you informed of the progress in solving the problem.
- In reporting on the reported problem we state, if you wish, your name as the discoverer.
- Depending on the impact of the vulnerability, we provide a financial compensation (bug bounty).
- We strive to resolve all issues as quickly as possible and are happy to be involved in any publication about the issue after it has been resolved.
Headquarters Ubbo Emmiussingel 21
9711 BB Groningen