Compliance posture.
What we hold today, what we're pursuing, and what's still on the roadmap. Updated as audits land.
| Standard | Status | Last reviewed | Notes |
|---|---|---|---|
| PCI DSS 4.0 | In progress | Q2 2026 | Card data is tokenised at capture. We are in scope for transaction handling, not card storage. SAQ A-EP target. |
| Jamaica Data Protection Act 2020 | Compliant | Q1 2026 | Registered controller. Controller for merchant data, processor for cardholder data. Data Protection Officer designated. |
| GDPR (EU/UK) | Compliant | Q1 2026 | Compliant by design. Standard Contractual Clauses for EU transfers. DPA available for merchants serving EU customers. |
| SOC 2 Type II | Roadmap | — | Audit target H2 2026. Pre-audit security review with external assessor scheduled. |
| ISO 27001 | Roadmap | — | Long-term. To be initiated after SOC 2 Type II is achieved. |
Documents
Available on request, under NDA.
Enterprise prospects and merchants serving regulated industries can request the underlying audit reports.
PCI Attestation of Compliance
Annual AoC from our QSA. Available once PCI DSS 4.0 audit completes.
Request via email →Penetration test summary
Annual third-party penetration test, executive summary available under NDA.
Request via email →DPA & sub-processor list
Always public. View the standard DPA and current sub-processor list.
Building something compliance-sensitive?
Talk to us early. We'll share what's possible today and what's coming.