Platform Security

CLOWD9 platform holds PCI Data Security Standard v 4.0 Service Provider Level 1 certification.

Integration with CLOWD9 requires end-to-end encryption using TLS 1.2 protocol or higher.

API calls are verified against clients unique secret key generated by CLOWD9.

Card data is encrypted at rest using industry-standard Database encryption methods and only accessible to users with relevant access privileges via a user interface/API.

Additionally, sensitive card data like PAN, PIN, and CVV2 can only be sent to PCI DSS Compliant clients in plain text or encrypted. Non PCI Compliant clients will never receive the card data in any format. Support for non-PCI compliant clients is provided by processes that allow the end customer to retrieve details securely without compromising them in the transport process.

For connectivity support CLOWD9 employs firewalls, IP whitelisting, etc. with a preference for mTLS connections over VPN tunnels due to their simplified operation whilst providing the same level of security.

CLOWD9's public internet facing services execute OAuth2 authentication on every request to authenticate the initiator of the messages.

PCI-DSS mandates the encrypted storage and transfer of sensitive data, which CLOWD9 supports via HSM keys. In addition CLOWD9 also encrypts its entire database as well as the complete message that is making its way through the platform.

Use of Golang as the CLOWD9 programming language means there is no need for an Operating System or a Runtime Framework. This means that there are no possible vulnerabilities associated with those elements.