Security

Built for financial operations.

PortPagos handles real money for real businesses. Every layer of the platform — from the database to the settlement network — is designed with that in mind.

Infrastructure

  • Hosted on Supabase (SOC 2 Type II certified infrastructure)
  • All data encrypted at rest using AES-256
  • All data in transit protected by TLS 1.3
  • Database access restricted to service-role credentials; no direct public exposure
  • Automatic backups with point-in-time recovery

Authentication

  • Wallet-based authentication via Privy — no passwords stored
  • Server-side session validation on every authenticated request
  • Row-level security (RLS) enforced at the database layer — users can only access their own data
  • All sensitive keys stored as environment variables, never in source code

Financial integrity

  • Immutable ledger — entries cannot be updated or deleted, enforced at the database level by triggers
  • Idempotency keys on all ledger writes prevent double-crediting from duplicate webhooks
  • Materialised balance table maintained atomically by database triggers — no balance is ever computed from a mutable scan
  • HMAC-SHA256 signature verification on all inbound webhooks (Alchemy, Bridge)
  • Unique index on transaction hash prevents replay attacks

Funds & custody

  • PortPagos never custodies customer funds
  • Fiat funds held by Bridge, a licensed money services business
  • USDC held in self-custodied wallets on Base mainnet — cryptographically controlled by the account holder
  • USDC issued by Circle, backed 1:1 by USD reserves independently attested monthly
  • On-chain settlement is final and verifiable on a public blockchain

Compliance

  • KYB (Know Your Business) verification required for all merchant accounts
  • KYC verification performed for individual users
  • AML screening on all transactions via Bridge's compliance infrastructure
  • Sanctions screening against OFAC, EU, and UN lists
  • Transaction records retained for 5 years in compliance with AML regulations

Responsible disclosure

  • We take security reports seriously and respond within 48 hours
  • Please disclose vulnerabilities responsibly to guillermo@portpagos.com
  • Do not access or modify data belonging to other users during testing
  • We do not pursue legal action against good-faith security researchers

SOC 2

Infrastructure certified

via Supabase

Licensed

Financial partners

Bridge + Circle

GDPR

Data protection compliant

EU data residency

Security questions or vulnerability reports? guillermo@portpagos.com