Back to Home

Security

FetcherPay is built with security and compliance as foundational principles. We never store raw card data and maintain strict access controls throughout our infrastructure.

Compliance & Certifications

PCI DSS Level 1

Card data is tokenized and vaulted by our PCI Level 1 certified processors. FetcherPay never stores or transmits raw card numbers.

SOC 2 Type II

Independently audited controls for security, availability, processing integrity, confidentiality, and privacy.

HIPAA Ready

Business Associate Agreements (BAAs) available for healthcare customers. PHI handling meets HIPAA Security Rule requirements.

End-to-End Encryption

TLS 1.3 for all API connections in transit. AES-256 encryption for all sensitive data at rest.

API Authentication

All API requests require a Bearer token in the Authorization header. Use test keys (prefixed fp_test_) for development and live keys (prefixed fp_live_) for production.

Authorization: Bearer fp_live_<your_key>

Never commit API keys to version control or include them in client-side code. Rotate keys immediately if you suspect a compromise. Contact security@fetcherpay.com.

Idempotency

Prevent duplicate charges by including an Idempotency-Key header on all payment creation requests. Keys are valid for 24 hours.

Idempotency-Key: <unique-uuid-per-request>

IP Allowlisting

Production API access can be restricted to specific IP addresses or CIDR ranges. This adds a network-level defense even if API keys are compromised. Contact support@fetcherpay.com to configure IP allowlists for your account.

Audit Logging

Every API request, webhook delivery, and dashboard action is logged with:

  • Timestamp (millisecond precision, UTC)
  • Source IP address and user agent
  • Request fingerprint and idempotency key
  • Actor identity (API key or dashboard user)

Logs are retained for 7 years per financial regulations and are available via the dashboard or API for your own compliance audits.

Vulnerability Disclosure

Responsible Disclosure Program

If you discover a security vulnerability in FetcherPay's systems, please report it responsibly. We commit to acknowledging reports within 48 hours and resolving critical issues within 7 days.

security@fetcherpay.com