Security & Trust

As a payments company, security is a critical part of our product. Learn more about the controls we follow to protect our clients’ sensitive data.

GRC and Due Diligence

The IXOPAY GRC and security programs operate in compliance with a range of well-known standards and regulations, and our compliance reports are available to clients upon request. Additionally, IXOPAY regularly performs due diligence on the security controls we have in place.

Audit Documentation

Certifications and Compliance

Cloud Security Alliance STAR Program

The Cloud Security Alliances Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards.

Companies that use STAR follow best practices and validate the security posture of their cloud offerings.

The STAR registry documents the security and privacy controls provided by popular cloud-computing offerings.

This publicly accessible registry allows cloud customers to assess their security providers to make the best procurement decisions. IXOPAY completes an annual Cloud Controls Matrix self-assessment.

General Data Protection Regulation (GDPR)

IXOPAY is compliant with the General Data Protection Regulation (GDPR), legislation enacted by the European Union (EU) to help fortify data protection for all individuals within the EU. The goal of the regulation is to protect the personal data of all EU citizens by regulating how their data is shared, stored, and managed. It also addresses the export of personal data outside of the EU. Moreover, it is designed to standardize data privacy laws across the EU with the main goal to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.

The IXOPAY platform is used by clients worldwide, including clients in the vast majority of EU nations, to secure and protect both PCI and personal data sets. The IXOPAY tokenization process is a well-recognized and accepted form of pseudonymization, making compliance with the privacy requirements of GDPR more certain, less costly, and much simpler.

HITRUST Compliant

The HITRUST Common Security Framework (CSF) provides organizations with a comprehensive approach to compliance and risk management. The HITRUST CSF combines key regulations and standards into a single overarching framework, including those applicable to PCI, PHI, and PII.

ISO/IEC 27001:2022

ISO 27001:2022 was developed by the International Organization for Standardization (ISO) and is a recognized and respected information security management standard that specifies best practices and comprehensive security controls for technology platforms and systems.

This certification process encompassed the people, policies, processes, and technologies used to ensure a sustained focus on information security. After an independent audit, the designation validates the security of the company’s data protection platform and reaffirms its compliance with policies and procedures beyond the security industry and international data protection standards.

By adding the rigorous ISO 27001:2022 certification to our trust package, Ixopay continues to demonstrate our commitment to protecting clients’ data as a top priority. We continually improve our processes and reaffirm the mission to use our industry-leading platform to support clients in securing sensitive data while enabling their most critical business processes.

Download Compliance Certificate

PCI Certified Level 1 Service Provider

IXOPAY is a PCI Certified Level 1 Service Provider, and the IXOPAY products are designed to help you achieve PCI compliance.

Download Attestation of Compliance (Tokenization Platform)

Download Attestation of Compliance (Payment Orchestration Platform)

SSAE 18 SOC 2 and 3

An assessment of the IXOPAY control environment is performed by independent service auditors on a regular basis. The SOC (Service Organization Controls) 2 and 3 reports examine the controls IXOPAY maintains over its infrastructure, software, networks, people, procedures, and processes. Based on the Trust Services Criteria, the reports confirm:

Security – the system is protected against unauthorized access (both physical and logical).
Availability – the system is available for operation and use as committed or agreed.
Confidentiality – information designated as confidential is protected as committed or agreed.

Download Attestation of Compliance

Visa Global Registry of Service Providers

The Visa Global Registry allows service providers to broadcast their compliance with Visa Inc. rules and industry security standards and to promote their services to potential clients worldwide. Clients and merchants should reference the site regularly as part of their due diligence process. They should only use service providers listed on the Registry to outsource payment-related services.

Registry Entries:

Payment Orchestration Platform

Universal Tokenization Platform

Organizational Security

Data is only as secure as the platform protecting it. That’s why the IXOPAY platform is built for maximum security and reliability.

Security and Controls

Keeping our customers’ data safe is our highest priority, so we exercise rigorous security measures throughout all levels of our organization and our processes. That security starts with our people. Throughout our Human Resources lifecycle, IXOPAY ensures that:

Background checks are carried out on all new employees.
Nondisclosure agreements are in place with employees and critical vendors.
Security awareness training is administered to employees upon hire and regularly throughout the year.

Governance, Risk, and Management

Policies, processes, and procedures are in place throughout the organization to manage risk and to ensure the security and availability of IXOPAY services.

Formal governance structures are in place to oversee the security, compliance, and privacy of the organization.
Management and technical risk assessments are performed to continuously monitor risks to the environment.
IXOPAY has a vendor management program to assess vendors prior to implementation and periodically throughout the year.

Data Encryption

IXOPAY encrypts all customer data in transit and at rest using industry standards and best practices.

Logical Security

Access to the IXOPAY environment requires multifactor authentication, and the use of strict password controls is enforced. Audit logging is enabled to capture logon attempts and activity. Inactive user sessions are automatically timed out. Access is granted on the premise of least privilege. A privileged access management system is in place to provide role-based access and session recordings of all admin activity.

Network Security

IXOPAY has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of our environment. Proactive security procedures, such as perimeter defense and intrusion-detection systems, have been implemented.

Extensive monitoring and logging are in place, and so are processes for detecting, reporting, and responding to any incidents. Clients can access the portal to monitor and manage their IXOPAY vaults, as well as securely communicate with IXOPAY client services.

Vulnerability Management

System security is maintained through the IXOPAY vulnerability management program, which includes anti-malware and patch management. Assets are maintained throughout the lifecycle to ensure the security of all IXOPAY systems.

Vulnerability scans and penetration tests of IXOPAY networks and systems are performed regularly and after significant changes. Any exploitable findings are promptly remediated and retested.

Penetration Testing

IXOPAY contracts with a third-party security firm to perform application, internal network, and external network penetration testing.

Automated vulnerability management toolsets and manual processes are used to identify and verify known vulnerabilities and misconfigurations. Common attack techniques such as those listed in the SANS Top 20 and the OWASP Top 10 are verified. Any findings are reviewed, and a risk profile with impact and likelihood metrics is determined.

Vulnerability Scans

External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, authenticated internal vulnerability network and system scans are performed to identify potential weaknesses and inconsistencies with general system security policies.

Application Security and Change Management

IXOPAY has formal change-management and system-development processes that document, test, and approve changes prior to implementation. Particular focus is paid to the OWASP Top 10. The SDLC process includes an in-depth security risk assessment and review. Static source code analysis is performed to help integrate security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.

IXOPAY follows a rigorous change-management process. Prior to implementation, changes are tested in the test environment, documented in our system of record with implementation and rollback plans, and then reviewed and approved. Clients are notified via the portal as well as via email of updates to the platform. Releases that might directly impact client usage of the platform are communicated directly to the affected clients by the IXOPAY Client Success team.

Business Continuity

IXOPAY employs redundancy at every layer possible in our infrastructure, and our platform is designed to accommodate operating failures to ensure availability.

IXOPAY replicates data between geographically diverse locations. Monitoring is in place to detect issues with the replication process. Failover testing is conducted regularly.
IXOPAY has a documented business-continuity and disaster-recovery plan, which is reviewed, updated, and tested regularly.

Physical Security & Environmental Controls

The IXOPAY platform is hosted in fully redundant, high-performance data center facilities across the world. Secure access controls and monitoring, redundant power and connectivity, generators, UPS, and fire suppression are in place at all data centers used by IXOPAY. All access to data centers is highly restricted and regulated.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months