Core security features
Encryption
- HTTPS/TLS 1.2+ - All traffic encrypted
- Database encryption - Sensitive data encrypted at rest
- API key hashing - Keys hashed, not plaintext
- Password hashing - Argon2id with salt
Data protection
- No card storage - Tokenized payments only
- PCI compliance - Built-in, not retrofit
- Secrets management - Environment variables only
- Input validation - SQL injection prevention
Authentication
- Strong password requirements - Minimum 12 characters
- Two-factor authentication (2FA) - TOTP (Google Authenticator)
- Session timeouts - Auto-logout after inactivity
- Account lockout - After failed login attempts
Authorization
- Role-based access control (RBAC) - Granular permissions
- Least privilege - Default deny, explicit allow
- Audit logging - All actions logged
- Permission enforcement - Server-side validation
PCI-DSS compliance
OwnPay is PCI-DSS compliant by design:- Card data never stored
- Payment gateway handles encryption
- HTTPS only
- Regular security audits
Key requirements
GDPR compliance
Data protection principles
- Purpose limitation - Only store data for stated purpose
- Data minimization - Collect only necessary data
- Accuracy - Keep data current
- Storage limitation - Delete when no longer needed
- Integrity and confidentiality - Secure and encrypted
User rights
- Access - Download personal data
- Rectification - Correct inaccurate data
- Erasure - Delete account and data
- Restrict processing - Limit how data is used
- Data portability - Export in machine-readable format
Data security best practices
Server security
Application security
- Keep OwnPay updated
- Run security patches immediately
- Monitor for vulnerabilities
- Use secure passwords for database/admin
API security
- Rotate API keys quarterly
- Use separate keys per application
- Monitor API usage
- Revoke unused keys
- Never commit keys to git
Webhook security
- Verify webhook signatures
- Use HTTPS only
- Validate webhook source
- Implement rate limiting
- Log all webhook activity
Authentication and authorization
Strong passwords
Requirements:- Minimum 12 characters
- Mix of uppercase and lowercase
- At least one number
- At least one special character (!@#$%^&*)
Two-factor authentication (2FA)
- Go to Account > Security
- Click Enable Two-Factor
- Scan QR code with authenticator app
- Enter 6-digit code to verify
- Save backup codes in secure location
Session management
- Timeout: 30 minutes of inactivity
- Maximum session: 24 hours
- Device tracking: Active sessions shown
- Logout all: Revoke all sessions
API key security
Creation:- Go to Developers > API Keys
- Click Create Key
- Copy key (shown once only)
- Save in password manager
- Create new key
- Update all applications
- Test in production
- Delete old key
Audit and compliance reporting
Audit logs
Go to Reports > Audit Log to view all activity:- Login/logout
- Permission changes
- Data modifications
- Configuration changes
- API usage
- Payment processing
Monthly security checks
- Review audit logs for suspicious activity
- Check failed login attempts
- Verify all users active
- Check for unusual API usage
- Review webhook failures
Quarterly security checks
- Rotate API keys
- Update access list
- Review user permissions
- Update security policy
- Run vulnerability scan
Incident response
Security incident
Immediate actions:- Isolate affected system
- Stop data exfiltration
- Preserve evidence/logs
- Do not alter compromised files
- Contact OwnPay security team
Report security issues
Email: [email protected] Include:- Description of vulnerability
- Steps to reproduce
- Impact assessment
- Your contact information
- Do not publish publicly
- Give OwnPay 90 days to fix
- Do not access others’ data
- Test only on test accounts
Hardening guide
Minimum security (small deployments)
- HTTPS enabled
- Strong admin password
- Keep software updated
- Regular backups
- Monitor logs
Standard security (typical deployments)
- Everything above, plus:
- 2FA for all admins
- Regular security scans
- Encrypted backups
- Daily backup verification
- Audit log review weekly
High security (regulated industries)
- Everything above, plus:
- Hardware security key
- Intrusion detection system (IDS)
- Web application firewall (WAF)
- Real-time log monitoring
- Annual penetration testing
- Dedicated security engineer
PCI-level security
- Everything above, plus:
- Quarterly vulnerability scans
- Annual penetration testing
- Network segmentation
- Intrusion prevention (IPS)
- SIEM (Security Information and Event Management)
- 24/7 security monitoring
- Incident response team
Common vulnerabilities
SQL injection
How OwnPay prevents: Parameterized queries everywhere, input validation, escaping special characters.Cross-site scripting (XSS)
How OwnPay prevents: HTML escaping on output, Content-Security-Policy header, input sanitization.CSRF (Cross-Site Request Forgery)
How OwnPay prevents: CSRF tokens on all forms, SameSite cookie attribute, origin verification.Man-in-the-Middle (MITM)
How OwnPay prevents: HTTPS/TLS 1.2+, webhook signature verification, API key authentication.Security monitoring
Real-time monitoring
Go to Settings > Security and enable monitoring. Configure alerts for:- Multiple failed logins
- Unusual IP access
- API key usage patterns
- Large data exports
- Permission changes