Card numbers never reach Fyneri's servers — they go straight to Stripe through Stripe Elements. That single architectural choice keeps us out of PCI-DSS Level 1 scope and dramatically reduces what an attacker could ever steal from us. The rest of this page is what we do for everything else.
Customers enter card details into iframes served directly by Stripe (js.stripe.com). The data goes to Stripe's PCI-DSS Level 1 environment without crossing our servers. We receive only Stripe's tokenized PaymentMethod reference.
Per PCI rules, no one stores CVV. We don't see it, Stripe doesn't store it. It's used once at authorization and discarded.
ACH bank details are collected through Stripe Financial Connections (Plaid under the hood) and stored at Stripe.
Fyneri does not hold customer funds at any point. Stripe pays you directly to your bank account on your configured payout schedule.
HTTPS-only across all subdomains. HSTS with includeSubDomains and preload. SSL Labs A+ target on all public endpoints.
All databases and object storage encrypted at rest using AWS-managed keys (KMS). Backup snapshots inherit the same key policy.
API keys, signing secrets, and database credentials live in AWS Secrets Manager with automated rotation. No secret in source control. Pre-commit hooks scan for leaks.
Every outbound webhook is signed with a per-merchant secret. Replay protection via timestamp tolerance. Constant-time signature verification in all our SDKs.
Every Fyneri staff member authenticates via Google Workspace SSO with a hardware security key (FIDO2 / YubiKey). Production access is role-based, just-in-time, and audit-logged.
Dashboard users can (and soon must, on Scale and Enterprise) enable TOTP-based MFA or WebAuthn passkeys. Recovery codes are generated and shown once.
Restricted API keys with resource-level permissions. Per-environment keys (test / live). Rotation is one click; revocation is immediate.
Every API call, every dashboard action, every employee touch on production data is logged with actor, IP, and timestamp. Logs immutable, retained 1 year minimum.
Mandatory peer review on every PR. SAST and dependency-vulnerability scanning on every commit. Secret-leak prevention in pre-commit hooks. Production deploys are gated on a green build.
Annual third-party penetration test scheduled to begin within 90 days of general availability. Findings are published in our security report to enterprise customers under NDA.
WAF, anomaly detection on API traffic, alerts on suspicious dashboard activity. PagerDuty rotation for high-severity events.
If a security incident affects merchant data, we notify affected customers without undue delay (within 72 hours where GDPR applies). Post-mortems are written for every Sev-1.
We welcome and encourage responsible security research. If you've discovered a vulnerability in Fyneri, please report it to security@fyneri.com with as much detail as possible: affected endpoint, reproduction steps, impact, and your suggested fix if you have one.
What we ask:
What we'll do:
security@fyneri.com
PGP key available on request.
For non-security issues, please use contact.html.