Security & Trust

Security is foundational to PayHeld's mission of protecting payments for freelancers and clients. We implement enterprise-grade security measures to safeguard your funds, personal data, and transactions.

This page provides transparency about our security infrastructure, compliance certifications, and data protection practices. Whether you're a freelancer trusting us to hold your earnings or a client entrusting funds for a project, you deserve to know how we protect you.

For security concerns or to report vulnerabilities, contact security@payheld.com. Critical issues receive responses within 24 hours.

PayHeld protects every dollar you earn or pay through multi-layered security controls and compliance with payment industry standards.

PCI DSS Compliance We maintain PCI DSS SAQ A-EP compliance (the appropriate level for platforms outsourcing payment processing to certified providers). This means we adhere to the Payment Card Industry Data Security Standard—the global security standard for handling payment information.

What We Never Store: • Full credit card numbers (Primary Account Numbers) • CVV/CVC security codes • Magnetic stripe data • PIN numbers

What We Do Store (Safely): • Last 4 digits of card numbers (for your reference only) • Card brand (Visa, Mastercard, etc.) • Payment tokens from Stripe (encrypted identifiers) • Transaction history and amounts

Stripe Integration Security All payment processing is handled by Stripe, a PCI DSS Level 1 Service Provider—the highest certification level available. When you enter payment information:

1. Card data goes directly from your browser to Stripe (never touches our servers) 2. Stripe returns an encrypted token we use for transactions 3. We process payments using these tokens, not actual card data 4. Your financial information remains with Stripe's certified infrastructure

Webhook Security Payment notifications from Stripe are verified using HMAC-SHA256 cryptographic signatures. This prevents attackers from forging payment confirmations or manipulating transaction data.

Double-Spend Protection Distributed locks prevent the same funds from being released multiple times. Every payment operation includes idempotency keys that ensure duplicate requests (from network errors, browser refreshes) don't result in double charges.

Fraud Detection Our fraud screening system flags suspicious patterns without blocking legitimate transactions: • High-value transactions from new accounts (>$500 in first week) • Multiple failed payment attempts from the same IP • Unusual velocity spikes (10x normal transaction volume) • Mismatched geographic locations for client and freelancer

Flagged transactions receive manual review within 2 hours during business hours, 24 hours outside business hours.

Your personal information and project data are encrypted at rest and in transit using industry-standard cryptography.

Encryption at Rest All sensitive data stored in our databases is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). This includes:

• • Email addresses
• • Phone numbers
• • Project descriptions and deliverables
• • Messages between clients and freelancers
• • Bank account details (tokenized via Stripe)
• • Tax identification numbers (when required for 1099-K reporting)

Our encryption keys are stored separately from encrypted data and rotated every 90 days. Master keys are managed through environment variables with restricted access limited to senior engineering staff.

Encryption in Transit All connections to PayHeld use TLS 1.3 (Transport Layer Security) with TLS 1.2 as a fallback for older browsers. This encrypts all data traveling between your device and our servers, preventing eavesdropping or tampering.

We enforce HTTPS with HSTS (HTTP Strict Transport Security) headers that instruct browsers to always use secure connections, even if you type "http://" in the address bar.

File Security Uploaded files (project deliverables, invoices, dispute evidence) receive special protection:

1. Virus scanning using ClamAV before storage 2. Encryption at rest in our file storage system 3. Access controls limiting visibility to project participants and admins (for dispute resolution) 4. Secure signed URLs that expire after 1 hour (preventing unauthorized sharing)

Database Security Our PostgreSQL databases implement: • Row-level security policies (users can only access their own data) • Encrypted connections between application servers and database • Automated daily backups with 30-day retention • Point-in-time recovery capability (restore to any minute in the last 7 days) • Geographic redundancy across multiple availability zones

Backup Security Database backups are encrypted with separate keys from production data. Backups are stored in multiple geographic regions and tested monthly to ensure recoverability.

Account security begins with strong authentication. PayHeld implements multiple layers of protection to prevent unauthorized access.

Password Security Passwords are never stored in plain text. We use bcrypt hashing with a cost factor of 12, which makes brute-force attacks computationally infeasible. Each password is salted with a unique random value before hashing.

Password Requirements: • Minimum 12 characters • Must include uppercase, lowercase, numbers, and special characters • Cannot match 100+ common passwords (e.g., "Password123!") • Cannot reuse your last 5 passwords

Breach Detection Before accepting your password, we check it against the HaveIBeenPwned database of over 600 million compromised passwords. This uses a k-anonymity model where only the first 5 characters of your password's hash are sent—your full password never leaves your device.

Two-Factor Authentication (2FA) 2FA adds a second verification step beyond your password. We support TOTP (Time-based One-Time Passwords) compatible with apps like Google Authenticator, Authy, and 1Password.

When 2FA is enabled: • You'll enter a 6-digit code from your authenticator app after your password • 2FA secrets are encrypted with AES-256-GCM before storage • Backup codes (10 single-use codes) are provided for account recovery • 2FA is mandatory for admin accounts processing payments over $10,000/month

Session Security Active login sessions implement security controls based on your account role:

Admin Sessions: • 15-minute inactivity timeout • 4-hour absolute timeout (must re-authenticate) • No "Remember Me" option • Require re-authentication for sensitive operations

Client/Freelancer Sessions: • 30-minute inactivity timeout • 7-day absolute timeout • Session revoked if password changed • Session revoked if IP address changes significantly (different country)

Session Fingerprinting Each session is tied to a cryptographic fingerprint of your device (IP address + browser User-Agent hash). If someone steals your session cookie, they cannot use it from a different device without triggering an anomaly alert.

Brute Force Protection Failed login attempts trigger progressive defenses:

After 3 failures: CAPTCHA required After 5 failures: Account locked for 30 minutes After 10 failures from same IP: IP banned for 2 hours

Timing-safe password validation prevents attackers from using response times to guess passwords character by character.

Access Control Role-based access control (RBAC) limits what each user can see and do:

• • Freelancers: View their projects, earnings, and client messages
• • Clients: View their projects, freelancer profiles, and payment history
• • Admins: Access to user accounts, disputes, and platform analytics
• • Super Admins: System configuration, security settings, financial reconciliation

Every access to sensitive data (payment details, personal information, dispute evidence) is logged with timestamp, user ID, IP address, and action performed. These audit logs are immutable and retained for 7 years.

PayHeld's infrastructure is built on security-first principles with defense-in-depth across multiple layers.

Cloud Infrastructure We deploy on Vercel (application hosting) and AWS (database and file storage), both of which maintain SOC 2 Type II certification and ISO 27001 compliance. Our infrastructure benefits from:

• • DDoS protection (distributed denial-of-service attack mitigation)
• • Automatic security patches within 24 hours of critical vulnerabilities
• • Geographic redundancy (data replicated across multiple regions)
• • 99.99% uptime SLA

Network Security All application servers operate in private networks with no direct internet access. Only designated load balancers and API gateways are internet-facing, and they enforce:

• • Web Application Firewall (WAF) rules blocking common attack patterns
• • Rate limiting (100 requests/minute per IP for general usage, 5 requests/minute for payment operations)
• • IP-based geo-blocking for countries with high fraud rates (when necessary)
• • TLS certificate validation (certificates renewed automatically via Let's Encrypt)

Security Headers Every HTTP response includes comprehensive security headers:

• • Content-Security-Policy: Prevents cross-site scripting (XSS) by restricting which scripts can run
• • X-Frame-Options: DENY (prevents clickjacking attacks)
• • Strict-Transport-Security: Enforces HTTPS for 2 years
• • X-Content-Type-Options: nosniff (prevents MIME type confusion attacks)
• • Referrer-Policy: Limits information sent to third parties
• • Permissions-Policy: Restricts browser features (camera, microphone) to prevent abuse

API Security Our RESTful API implements multiple security layers:

1. HTTPS enforced (HTTP requests rejected) 2. API authentication via secure session cookies or API keys 3. CSRF tokens required for all state-changing operations 4. Rate limiting with exponential backoff for repeated violations 5. Input validation using Zod schemas (all inputs validated against strict types) 6. Output sanitization (prevents injection of malicious scripts in responses)

SQL Injection Prevention We use Prisma ORM, which automatically parameterizes all database queries. Raw SQL queries are prohibited except in specific analytics functions, where they undergo manual security review.

Cross-Site Scripting (XSS) Prevention User-generated content (project descriptions, messages, profiles) is sanitized using DOMPurify before storage and HTML-encoded before display. We maintain a strict Content Security Policy that only allows scripts from trusted sources.

Dependency Security We scan all third-party libraries for known vulnerabilities using npm audit and Snyk. Critical vulnerabilities are patched within 48 hours; high-severity issues within 7 days.

PayHeld adheres to industry security standards and compliance frameworks to protect your data and maintain trust.

PCI DSS (Payment Card Industry Data Security Standard) Compliance Level: SAQ A-EP (98% compliant, pending annual third-party penetration test) Status: Active and maintained Scope: Payment data handling, cardholder data protection Audit Frequency: Annual self-assessment, quarterly vulnerability scans

GDPR (General Data Protection Regulation) Compliance Level: 95% compliant Applies to: Users in European Economic Area, UK, Switzerland Key Controls: • Right to access your data (export available in account settings) • Right to deletion (30-day grace period, then permanent removal) • Right to data portability (JSON export of all personal data) • Data minimization (we collect only what's necessary for transactions) • Privacy by design (encryption by default, access controls on all data)

Note: Financial transaction records are retained for 7 years per tax and audit requirements, even after account deletion.

SOC 2 Type II (Infrastructure) Our hosting providers (Vercel, AWS) maintain SOC 2 Type II certification, covering: • Security (access controls, encryption, monitoring) • Availability (uptime guarantees, redundancy) • Processing Integrity (error handling, data accuracy) • Confidentiality (data segregation, privacy controls)

OWASP Top 10 Compliance We maintain 100% coverage against the OWASP Top 10 2021 security risks: • A01: Broken Access Control - Role-based permissions, audit logging • A02: Cryptographic Failures - AES-256 encryption, TLS 1.3 • A03: Injection - Parameterized queries, input validation • A04: Insecure Design - Threat modeling, security requirements in all features • A05: Security Misconfiguration - Hardened defaults, security headers • A06: Vulnerable Components - Automated dependency scanning • A07: Authentication Failures - 2FA, brute force protection, secure session management • A08: Data Integrity Failures - Digital signatures, checksum verification • A09: Logging Failures - Comprehensive audit logs, security event monitoring • A10: Server-Side Request Forgery - URL validation, whitelist-based external requests

KYC/AML Compliance To prevent money laundering and comply with FinCEN regulations, we implement: • Identity verification for accounts processing >$1,000/month • Enhanced due diligence for accounts processing >$25,000/month • Sanctions screening against OFAC lists • Suspicious activity monitoring and reporting • Beneficial ownership verification for business accounts

Tax Compliance We issue 1099-K forms to US freelancers earning >$600/year and report to the IRS. Tax identification numbers (SSN/EIN) are encrypted and stored with restricted access.

PayHeld operates continuous security monitoring with rapid incident response capabilities.

24/7 Security Monitoring Our security operations include: • Real-time alerts for failed authentication attempts • Anomaly detection for unusual payment patterns • Intrusion detection systems monitoring network traffic • Automated blocking of known malicious IP addresses • Daily log analysis for suspicious activities

Incident Response Plan In the event of a security incident, we follow a documented response process:

Phase 1: Detection & Triage (0-1 hour) • Security alert triggers automated notification to on-call engineer • Initial assessment to determine severity (Critical, High, Medium, Low) • Critical incidents escalate to CTO and CEO immediately

Phase 2: Containment (1-4 hours) • Isolate affected systems to prevent spread • Preserve forensic evidence • Block malicious actors • Activate incident response team

Phase 3: Eradication & Recovery (4-24 hours) • Identify and remove attack vectors • Patch vulnerabilities • Restore services from clean backups if necessary • Verify system integrity before bringing back online

Phase 4: Notification (24-72 hours) • Notify affected users via email if personal data compromised • Comply with breach notification laws (GDPR: 72 hours, CCPA: without unreasonable delay) • Publish incident summary on status page • Provide remediation steps for users

Phase 5: Post-Mortem (1 week) • Document timeline, root cause, and impact • Implement additional controls to prevent recurrence • Update incident response playbooks • Share learnings with team

Breach Notification Policy If a security breach affects your account, we will: • Email you within 24 hours of confirming the breach • Explain what data was accessed or compromised • Describe steps we're taking to address the issue • Provide recommendations for protecting your account • Offer credit monitoring if financial data was exposed

We maintain a transparent security posture and will publish summaries of significant incidents (after remediation) on our security page.

Vulnerability Disclosure If you discover a security vulnerability, please report it responsibly:

Email: security@payheld.com PGP Key: Available at /security.txt Response Time: <24 hours for critical issues, <72 hours for others

Please do not publicly disclose vulnerabilities until we've had a chance to address them (90-day disclosure window). We appreciate security researchers and will acknowledge your contribution if you wish.

While we implement comprehensive security measures, your account security also depends on actions you take.

Enable Two-Factor Authentication (2FA) 2FA adds a critical second layer of protection. Even if someone steals your password, they cannot access your account without your authenticator app.

To enable 2FA: 1. Go to Settings > Security 2. Click "Enable Two-Factor Authentication" 3. Scan the QR code with Google Authenticator, Authy, or 1Password 4. Enter the 6-digit code to confirm 5. Save your backup codes in a secure location

Use a Strong, Unique Password • Never reuse passwords across multiple sites • Use a password manager (1Password, Bitwarden, LastPass) to generate and store complex passwords • Avoid passwords based on personal information (birthdays, names, etc.) • Consider a passphrase: "correct-horse-battery-staple" is stronger than "P@ssw0rd!"

Monitor Your Account Activity Review your account regularly for suspicious activity: • Check recent logins in Settings > Security > Active Sessions • Review payment history for unauthorized transactions • Verify connected bank accounts and payment methods • Check email for login notifications from unfamiliar locations

Secure Your Email Your email is the key to account recovery. If someone gains access to your email, they can reset your PayHeld password. Protect your email with: • Strong unique password • 2FA enabled • Regular security checkups

Recognize Phishing Attempts PayHeld will never: • Ask for your password via email or phone • Request payment information through email links • Send unsolicited attachments • Threaten account closure unless you click a link

Always verify PayHeld communications: • Check sender email: Official emails come from @payheld.com • Verify URLs: PayHeld's website is https://payheld.com (check for HTTPS and correct spelling) • When in doubt, log in directly by typing payheld.com into your browser (don't click email links)

API Security (for Developers) If you integrate PayHeld's API: • Store API keys securely (never commit to git repositories) • Use separate API keys for development and production • Rotate API keys every 90 days • Implement IP whitelisting for production API access • Verify webhook signatures to prevent request forgery • Rate limit your API usage to detect account compromise

We retain your data only as long as necessary for providing services, complying with legal obligations, and resolving disputes.

Active Account Data While your account is active, we retain: • Profile information (name, email, bio, skills) • Project history and deliverables • Payment transaction records • Messages and communication history • Login history and security logs

Account Deletion When you delete your account:

Immediate Actions: • Account marked for deletion with 30-day grace period (allows recovery if accidental) • Login disabled immediately • Profile removed from public search and directories • Active projects canceled with refunds to clients

After 30 Days: • Personal information permanently deleted (name, email, phone) • Uploaded files permanently deleted • Messages anonymized (username replaced with "Deleted User")

Retained Data (Legal Requirements): • Financial transaction records: 7 years (IRS requirement) • Dispute evidence: 7 years (legal defense purposes) • Audit logs: 7 years (PCI DSS requirement)

Data Portability Before deleting your account, you can export: • Complete profile information (JSON format) • Project history and transaction records • Messages (CSV export) • Uploaded files (ZIP archive)

To export your data: Settings > Privacy > Export My Data

Third-Party Data Deletion When you delete your account, we also request deletion of your data from third-party services: • Stripe: Customer data deleted within 30 days • Google Analytics: User identifier anonymized immediately • Email service (SendGrid): Email address removed from all lists

We cannot control third-party backup retention policies, but we delete all data within our control.

We're committed to transparency about our security practices. If you have questions or concerns, we're here to help.

Security Team Contact Email: security@payheld.com PGP Key: Available at https://payheld.com/.well-known/security.txt Response Time: <24 hours for critical issues, <3 business days for general questions

Vulnerability Disclosure If you discover a security vulnerability: 1. Email security@payheld.com with detailed information 2. Do not publicly disclose until we've had a chance to fix it (90-day window) 3. We'll acknowledge your report within 24 hours 4. We'll provide status updates every 72 hours until resolved 5. With your permission, we'll credit you in our security acknowledgments

We do not currently offer a bug bounty program but plan to launch one in Q1 2026.

Security Inquiries For questions about: • Our security practices and certifications • Data protection and privacy • Compliance with specific regulations • Enterprise security requirements

Contact: privacy@payheld.com

Enterprise Security If you're evaluating PayHeld for your organization and need: • SOC 2 Type II report • Security questionnaire completion • Penetration test results • Custom data processing agreement

Contact: enterprise@payheld.com

Media & Press For security-related press inquiries: Email: press@payheld.com

Legal & Compliance For legal requests regarding user data: Email: legal@payheld.com Mailing Address: PayHeld, Inc., Attn: Legal Department, [Address], Wilmington, DE 19801

We respond to valid legal requests (subpoenas, court orders) according to applicable law. Users are notified of legal requests unless prohibited by law or court order.

Status & Incidents Check our real-time status page: https://status.payheld.com Subscribe to incident notifications to receive alerts during outages or security events.

We take security seriously and appreciate your trust in PayHeld. Together, we can build a safer platform for freelancers and clients worldwide.