Every transaction on Paylogic is protected by military-grade encryption, real-time fraud monitoring, and a compliance framework built to exceed RBI, PCI DSS, and ISO standards. Your money and data are always safe.
Certified & Audited By
Paylogic undergoes rigorous annual audits by independent third-party assessors. Every certification is maintained, renewed, and monitored continuously.
The highest tier of the Payment Card Industry Data Security Standard. Our Level 1 certification is audited annually by a Qualified Security Assessor (QSA), covering all cardholder data environments, network segmentation, and transaction pipelines.
International standard for Information Security Management Systems. Covers risk assessment, access control, cryptography, physical security, incident management, and business continuity across our entire organisation and infrastructure.
We have initiated the formal RBI Payment Aggregator licence application under the Master Directions on PA/PG (2020). KYC norms, data localisation, tokenisation, and prohibited category enforcement are already in place while the licence process progresses.
Service Organization Control 2 Type II report covering Security, Availability, and Confidentiality trust service criteria. Our auditors review controls over a 12-month observation period — not just a point-in-time snapshot.
Aligned with India's Digital Personal Data Protection Act 2023 and applicable GDPR requirements. Data minimisation, purpose limitation, consent management, and data subject rights are embedded into our platform by design.
We engage CERT-In empanelled security firms for comprehensive penetration testing twice a year — covering application layer, API, network, and social engineering vectors. All critical findings are resolved within 72 hours of discovery.
From the moment a user initiates a transaction to the nanosecond it's stored in our database, every byte of sensitive data travels through multiple layers of military-grade encryption.
All client connections use TLS 1.3 exclusively. Legacy protocols (TLS 1.0, 1.1, SSL) are permanently disabled. Certificate pinning is enforced in our mobile SDKs.
All sensitive data at rest — PAN, account numbers, KYC documents — is encrypted with AES-256-GCM. Encryption keys are stored in FIPS 140-2 Level 3 validated Hardware Security Modules (HSMs), never in software.
All card numbers and sensitive payment credentials are immediately tokenised on receipt. The original PAN is never stored in our application layer — only a non-reversible token that is useless outside our HSM boundary.
A multi-layer Web Application Firewall (WAF) with OWASP Top 10 rulesets, geo-filtering, and real-time DDoS mitigation — capable of absorbing 1Tbps+ attack vectors at the edge.
A multi-layered security architecture that detects, prevents, and responds to threats before they can impact your business or your customers.
Machine learning models analyse 200+ transaction signals in real time to detect anomalies, velocity attacks, and suspicious patterns — flagging fraud in under 50ms.
Our Security Operations Centre operates around the clock. Alerts are triaged and responded to in minutes — not hours. Mean Time to Respond (MTTR) is under 12 minutes.
Role-Based Access Control with Zero Trust principles — every internal service call is authenticated and authorised. No implicit trust, even within our own network perimeter.
Network-level IDS/IPS with behavioural baselining. Anomalous traffic patterns, privilege escalation attempts, and lateral movement are automatically contained.
All API keys, database credentials, and certificates are managed in a centralised Vault (HashiCorp). Dynamic, short-lived secrets eliminate the risk of credential leaks.
Multi-Factor Authentication is mandatory for all Merchant dashboard access, all internal employee logins, and all privileged infrastructure access — no exceptions.
Real-time IP reputation scoring, geographic velocity checks, and proxy/VPN detection help prevent account takeovers and fraudulent API calls from compromised endpoints.
Every action on the Platform generates a tamper-proof audit trail stored in WORM (Write Once Read Many) storage, enabling forensic investigation, regulatory reporting, and compliance audits.
Paylogic is designed from the ground up to comply with every regulation governing fintech operations in India — and we stay ahead of every regulatory change.
Our Anti-Money Laundering programme is designed to meet the full requirements of the Prevention of Money Laundering Act, 2002 (PMLA), FATF recommendations, and the Financial Intelligence Unit – India (FIU-IND) reporting obligations.
Every merchant undergoes risk-tiered KYC during onboarding. Transactions are monitored continuously against watch lists, behavioural baselines, and suspicious activity thresholds.
Paylogic's data architecture is built on Privacy by Design principles, ensuring full alignment with India's Digital Personal Data Protection Act, 2023 (DPDP) and applicable GDPR provisions for cross-border data flows.
We operate as a Data Fiduciary under DPDP and maintain detailed records of processing activities, data subject consent, and fulfilment of data principal rights.
As a certified participant in India's payment ecosystem, Paylogic adheres to all NPCI operational guidelines, UPI circular requirements, and payment scheme rules for Visa, Mastercard, and RuPay networks.
Our UPI integration is built on the latest NPCI API specification with daily reconciliation, dispute management, and settlement reporting built into our core systems.
Paylogic is registered with the Indian Computer Emergency Response Team (CERT-In) and fully compliant with the CERT-In Directions (April 2022) under Section 70B of the IT Act — including mandatory incident reporting within 6 hours, log retention for 180 days, and ICT infrastructure synchronisation.
Our pen tests are conducted by CERT-In empanelled security firms and our incident response team is trained to the CERT-In response playbook.
Our multi-region active-active infrastructure ensures near-zero downtime. We publish real-time status and uptime data transparently.
Traffic is distributed across multiple availability zones. A failure in one region is transparently failed over in under 30 seconds with no data loss.
Blue-green and canary deployment pipelines allow us to roll out updates and patches with no service interruptions during business hours.
Recovery Point Objective under 1 minute and Recovery Time Objective under 5 minutes — backed by continuous database replication and automated failover.
Status page updated within 5 minutes of any incident. Merchants are notified via email and webhook within 10 minutes. Post-incident RCAs published within 48 hours.
If we fall below our 99.9% monthly SLA commitment, Merchants are automatically eligible for service credits — no need to file a claim.
All payment data, KYC records, and transaction logs are stored exclusively within Indian data centres, fully compliant with RBI data localisation requirements and the DPDP Act.
Every piece of sensitive payment data — transaction records, KYC documents, bank details, and cardholder data — is stored exclusively in TIER III+ data centres located within India.
Our primary and disaster recovery data centres hold Tier III+ Uptime Institute certification — providing 99.982% availability with N+1 redundancy for all critical infrastructure components.
Data is synchronously replicated to a geographically separate DR site in real time. In the event of a primary site failure, automated failover occurs with zero data loss and minimal service disruption.
We value and reward the security community. If you've discovered a potential security issue in Paylogic's systems, please report it responsibly and we'll work with you to fix it.
Our responsible disclosure process is designed to be transparent, respectful, and rewarding for genuine researchers. We do not pursue legal action against researchers who follow this process in good faith.
Document the vulnerability clearly — include steps to reproduce, scope, and potential impact. Do not exploit or access data beyond what is needed to demonstrate the issue.
Email your report to security@paylogic.in using our PGP public key. Include proof-of-concept, affected endpoints, and your contact details for follow-up.
Our security team will acknowledge your report within 24 hours and provide a unique tracking reference. We keep you updated as the issue is triaged and investigated.
Critical vulnerabilities are patched within 72 hours. Upon fix, we provide a bounty reward based on CVSS severity rating — from ₹5,000 for Low to ₹2,00,000+ for Critical findings.
With your permission, we'll credit you in our Security Hall of Fame and publish a summary disclosure after the vulnerability is patched — giving you the recognition you deserve.
Bug Bounty & Vulnerability Reports
Join 10,000+ businesses who trust Paylogic to secure every payment, every payout, and every piece of their financial data.