Security at every layer
Your data is encrypted with AES-256 at rest and TLS 1.2+ in transit, hosted in secure data centers in Ashburn, Virginia, and protected by Cloudflare's global edge network. We comply with GDPR, CCPA, and never sell your data.
Certified compliant.
PCI DSS
Level 1 Compliant
GDPR
EU Data Protection
DPF
Data Privacy Framework

Encryption everywhere
TLS 1.2+ enforced on all endpoints in transit. AES-256 encryption at rest for all stored data. API keys and tokens are cryptographically hashed — never stored in plaintext.

Privacy by design
We never sell or lease your data. Information is shared only with sub-processors required to deliver our services, protected by data processing agreements and Standard Contractual Clauses.

Access controls
Role-based access controls with multi-factor authentication on all infrastructure. Vault stores sensitive documents like KYC, bank credentials, and license keys in isolated encrypted storage.

Secure infrastructure
Hosted in SOC 2 and ISO 27001 certified data centers in Ashburn, Virginia. Deployed on AWS and Akamai with Cloudflare edge protection for DDoS mitigation and WAF filtering.

Breach response
Documented incident response procedures with 72-hour breach notification as required by GDPR. Automated monitoring and alerting across all systems for real-time threat detection.

Compliance
PCI-compliant payment processing through Stripe, Adyen, and Checkout.com. Full compliance with GDPR, CCPA, and OFAC sanctions. Identity verification via Sumsub before payouts.
How we protect your data
Our security practices are designed to exceed industry standards and protect merchant data at every stage.
Encryption at Rest & Transit
TLS 1.2+ enforced on all public and private endpoints. AES-256 encryption for all data at rest. API keys and bearer tokens are cryptographically hashed — never stored in plaintext.
Vault Storage
Sensitive data including KYC/AML documents, bank credentials, and license keys are stored in Vault — our isolated encrypted document system with strict role-based access policies and audit logging.
Sub-processor Governance
All sub-processors — AWS, Cloudflare, Akamai, Stripe, Adyen, Checkout.com, Sumsub, and others — are bound by data processing agreements with strict security and confidentiality requirements.
Access Controls & MFA
Role-based access controls across all infrastructure. Multi-factor authentication required for all privileged access. Automated backups ensure data availability and disaster recovery.
Breach Notification
Documented incident response with 72-hour breach notification as required by GDPR. Notifications include the nature of the breach, data categories affected, consequences, and remediation measures.
Data Subject Rights
Full support for GDPR and CCPA rights — access, correction, deletion, export, restriction, and objection to processing. Contact privacy@pandabase.io to exercise your rights at any time.
Tier 1 Cloud Infrastructure
All data is hosted in secure data centers in Ashburn, Virginia on SOC 2 and ISO 27001 certified infrastructure. International data transfers are protected by Standard Contractual Clauses and EU adequacy decisions.

Edge Protection
All traffic is routed through Cloudflare's global edge network for DDoS mitigation and Web Application Firewall protection, keeping your storefronts online and secure.
Security FAQ
Common questions about our security practices. Can't find what you're looking for? Contact our security team.
Vulnerability
Disclosure Program
We believe security is a shared responsibility. Our vulnerability disclosure program awards security researchers up to $5,000 USD for responsibly reporting qualifying vulnerabilities, assessed using the CVSS scoring framework.
Discover
Find a vulnerability
Report
Send details to our team
Get rewarded
Up to $5,000 USD
