​At TunicPay, trust is foundational. We believe your data deserves the highest protection—and we hold ourselves to the strictest standards to ensure it. We are ISO 27001 certified and SOC 2 Type 2 compliant: two of the most respected frameworks in information security. Here’s how we safeguard your information, continuously improve, and what you can expect from us and how you can help keep your data even safer.

​

Our Credentials

 

 

 

 

 

 

SOC 2 Type II

We adhere to the AICPA Trust Services Criteria, and have undergone a full, independent audit over a sustained period to confirm that our internal controls meet standards for security, availability, processing integrity, confidentiality, and privacy in our services.

​

​

​

​

​

​

​

​

ISO/IEC 27001

We are certified under the internationally recognized ISO/IEC 27001 standard. This demonstrates our commitment to a systematic, risk-based approach to managing information security—protecting not just client data, but our internal operations, intellectual property, employee data, and third-party interactions.

How We Protect Your Data
 

Here are the core pillars of our security program. These are enforced rigorously and reviewed continuously.
 

​

Data Classification & Access

All data (yours and ours) is classified according to sensitivity. Access is strictly limited to the “least privileged” necessary, on a need-to-know basis.
 

Encryption

We use strong, industry-standard encryption (TLS, AES etc.) in transit and at rest. Data stored in our systems is encrypted, and communications between our services and with you are always secured.

​

Infrastructure & Hosting

We use trusted providers, geo-redundant and secure data centres (including EU locations where required), with strong physical and environmental controls.

​

Vulnerability Management & Penetration Testing

Regular internal vulnerability scans, patch management, third-party security assessments and penetration tests are integral to our lifecycle.

​

Monitoring, Logging & Incident Response

We continuously monitor for unusual activity, suspicious behaviour, threats. Logs are retained as per policy; we have formal incident response and recovery plans in place.

​

Vendor & Third-Party Risk

We evaluate and audit all vendors delivering critical services. All third parties must meet our security standards or better.
 

Employee Security & Awareness

"Tunicians" undergo regular training in security best practices: password hygiene, handling sensitive information, recognizing phishing, etc. Access controls, multi-factor authentication, and periodic reviews are standard.

What We Ask of You
 

Security is a shared responsibility. To help us protect your data, here are some best practices we recommend:

• Use strong, unique passwords, and enable multi-factor authentication (MFA) wherever possible.

• Be cautious of phishing attempts — don’t click on unexpected links or share your login credentials.

• Keep your software, browsers, and devices up to date.

• Limit access to your account based on roles; only give permissions that are needed.

• Contact us immediately if you believe there’s been a security incident or breach involving your data.
   

Transparency & Continuous Improvement
 

• We conduct regular audits and reviews of policies and controls.

• Our security program is adaptive: we stay up to date with the latest threats, technologies and best practices.

• We welcome external audits, independent assessments, and verify that our third-party service providers maintain strong security posture.