Security & Compliance

Last updated: November 9, 2025

Cardexis is built by payments engineers with a security-first mindset. This page explains the controls we operate today and our compliance posture. We don’t claim PCI-DSS, ISO 27001 or Visa certifications at this time; we follow the standards’ good practices and can operate cloud (Switzerland) or on-premises deployments to fit your policies.

Core Controls

Encryption

  • In transit via TLS 1.2+ with modern ciphers.
  • At rest with disk/database-level encryption.
  • Secrets in environment stores; rotated on change.

Access Control

  • Least-privilege RBAC on app & infra.
  • MFA required for admin accounts.
  • Tenant isolation at data and auth layers.

DevSecOps

  • Code reviews, CI/CD with checks and artifact signing.
  • Dependency & image vulnerability scanning.
  • Secrets hygiene and linting in pipelines.

Logging & Monitoring

  • App/infrastructure logs with retention policies.
  • Audit trails for privileged actions.
  • Basic alerting on errors and anomalies.

Hosting & Data Residency

Default SaaS hosting is in Switzerland (Infomaniak). For customers with stricter residency or security constraints, Cardexis can be deployed on-premises in your data center or cloud account.

  • Network isolation and restricted inbound access.
  • Backups with encrypted storage and periodic restore tests.
  • Environment separation (dev/test/prod).

Product Security Practices

Application

  • Input validation and output encoding (OWASP).
  • CSRF protection on state-changing endpoints.
  • Secure headers (HSTS, X-Content-Type-Options, etc.).

Data Handling

  • Customer data stays customer-owned.
  • Import of settlement files & invoices as provided.
  • Controlled retention & deletion on request.

Backups & DR

  • Regular encrypted backups with integrity checks.
  • Documented recovery runbook and RTO/RPO targets.
  • Periodic restore exercises.

Vulnerability Mgmt

  • Advisory tracking and scheduled patch windows.
  • Severity-based remediation SLAs.
  • Customer-reported issues triaged promptly.

Compliance Posture

  • PCI-DSS: not certified. We apply card-industry best practices and can support customer PCI scopes in on-prem deployments.
  • ISO 27001: not certified. Controls aligned where practical (access control, change management, logging, backup, vendor mgmt).
  • Privacy: data processed per contract and our Privacy Policy. Swiss/EU hosting by default; other regions possible on request.

Testing & Responsible Disclosure

We periodically perform internal security reviews and use automated scanners. Formal third-party penetration testing can be arranged for enterprise customers.

If you believe you’ve found a security issue, please contact contact@moneysab.com with details and steps to reproduce. Do not publicly disclose before we assess and remediate.

Shared Responsibility

  • Moneysab: application, platform hardening, patches, monitoring, backups.
  • Customer: user provisioning, access reviews, secure file delivery, data classification, and meeting internal policies (esp. on-prem).

Questions about security or on-prem requirements? Contact us at contact@moneysab.com.