If you have discovered a security vulnerability, suspect unauthorized access to your account, or need to report a security incident, contact our security team immediately.

security@coverpayme.com

Security reports receive priority handling with initial response within 4 hours.

Data Protection Officer

For questions about how your data is processed, to exercise your data rights (access, deletion, portability), or for GDPR/CCPA-related inquiries, contact our Data Protection Officer.

privacy@coverpayme.com

Data subject requests are processed within 30 days as required by law.

Trust & Compliance

Our commitment to security

CoverPay is built with security and compliance at its foundation. Here is how we protect your data and your customers.

Data Processing

CoverPay acts as a data processor for merchant transaction data. We process data strictly in accordance with our data processing agreements and only as instructed by the merchant (the data controller).

Data Routing

Transaction data is routed to BNPL providers only as needed to process payments. We transmit the minimum data required for each provider's approval decision and share no additional information.

No Data Selling

CoverPay never sells customer data to third parties. We do not monetize user data through advertising, analytics resale, or any other secondary use. Transaction data is used solely for routing and platform improvement.

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. BNPL provider API keys and secrets are additionally encrypted with AES-256 before storage and decrypted only at the moment of use via secure server-side RPC.

Data Retention

Transaction records are retained in accordance with financial regulatory requirements (minimum 7 years for financial records). Non-essential data is purged on a regular schedule. You may request a detailed data retention schedule at any time.

Right to Deletion

Users and merchants can request deletion of their personal data in accordance with GDPR and CCPA. Deletion requests are processed within 30 days. Financial transaction records required by law are retained as anonymized data.

Audit Logging

All API key usage, credential access, team membership changes, and configuration updates are logged with timestamps, actor identification, and IP addresses. Audit logs are retained for a minimum of 2 years and are available upon request.

Geographic Data Residency

All CoverPay data is stored within US-based infrastructure. Our primary database is hosted on Supabase in the us-east-1 region (Virginia). Our web infrastructure runs on Vercel with US-based edge servers. No data is transferred outside the US without explicit consent.

Certifications & Standards

Planned

SOC 2 Type II

Service Organization Control 2 audit covering security, availability, and confidentiality trust service criteria.

Planned

PCI DSS Level 1

Payment Card Industry Data Security Standard. CoverPay does not handle raw card data; BNPL and card transactions are processed through PCI-compliant providers (Stripe, Klarna, etc.).

Active

GDPR Compliant

General Data Protection Regulation. Data subject rights (access, rectification, erasure, portability) fully supported.

Active

CCPA Compliant

California Consumer Privacy Act. California residents can exercise their rights through privacy@coverpayme.com.

For more information, review our legal policies:

Ready to get started?

Try CoverPay for free in sandbox mode. No credit card required.

Get Started Free Explore Docs