-
On this page
- Data protection
- Access control
- Infrastructure
- Customer funds
- People & process
- Responsible disclosure
Data protection
All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest — including bank account numbers, identification documents, and card credentials — is encrypted using industry-standard algorithms with keys managed in a hardware-backed key management service.
We minimise the data we hold. If we don't need it to operate the service or meet a regulatory obligation, we don't keep it.
Access control
- Multi-factor authentication is required for every PanPay employee and every administrative system.
- Access to production systems and customer data is granted on a least-privilege, named-individual basis and logged.
- All employee laptops are centrally managed, encrypted, and continuously monitored.
- Access reviews are performed at least quarterly.
Infrastructure
PanPay's services run on top-tier cloud infrastructure with data residency in South Africa where possible. We follow defence-in-depth principles: segmented networks, isolated environments for production and non-production, immutable infrastructure, and continuous vulnerability scanning.
We monitor for security events 24/7 and run regular third-party penetration tests against our applications and infrastructure.
Customer funds
Customer funds are held in segregated accounts at regulated South African banking partners. PanPay does not commingle customer funds with operating funds. All movement of customer money is logged on an immutable internal ledger and reconciled daily against bank records.
People & process
- Background checks for every employee handling production systems or customer data.
- Annual security and POPIA training for all staff.
- A documented incident response plan, tested at least annually.
- Change management with peer review and audit trail for production changes.
Responsible disclosure
If you believe you've found a security issue affecting PanPay, please email hello@usepanpay.org. We commit to:
- Acknowledging your report within two business days.
- Keeping you updated as we investigate and remediate.
- Not taking legal action against good-faith researchers who follow this policy.
Please do not test against live customer accounts, perform denial-of-service testing, or access data that does not belong to you.