Security overview
Security here is not a checklist page — verifying automated buyers is the product. This is how we run it.
Last updated: 2 July 2026
Architecture posture
- No funds, no card data. The most effective control is absence: there is no money and no PAN to steal from NeuralPay.
- Cryptographic agent verification. Operator-signed requests validated against published keys, with freshness checks against replay. Failed verifications are logged and visible to you.
- Blast-radius thinking. Merchant API keys are scoped per store; webhook payloads are HMAC-signed; secrets are stored in a managed KMS, never in code.
Operational controls
- TLS 1.2+ everywhere in transit; AES-256 at rest.
- Production access: role-based, least-privilege, hardware-key MFA, logged.
- Dependency and image scanning in CI; infrastructure as code with review.
- Backups with tested restores; EU-region hosting.
Certifications
We're early-stage and won't pretend otherwise: formal certifications (ISO 27001 / SOC 2) are planned on the road to general availability. Until then our control documentation is available under NDA — the controls exist; the certificates are in progress.
Responsible disclosure
Found a vulnerability? Report it to contact@neural-pay.com and you'll get a human response within 48 hours, a fix timeline, and credit if you want it. Good-faith research within the obvious boundaries (no data exfiltration, no service disruption) will never be met with legal threats.