Skip to main content
Security in plain English

Six things to know.

A short-form summary of how Veyra approaches security. The full technical program — control framework, vulnerability management, resilience — is documented below.

  • Card data tokenized

    Payment card data is captured by a PCI-certified token vault and never traverses Veyra application servers in raw form.

  • No PAN storage on merchant systems

    Merchants never see or store cardholder primary account numbers. Pointers to payment methods are partner-issued tokens.

  • Encrypted transport

    All public traffic served over TLS 1.2 or higher with modern cipher suites. Internal service traffic encrypted within the provider network.

  • Access controls

    Single sign-on with required multi-factor authentication for staff. Role-based access with documented quarterly reviews.

  • Audit logs

    Onboarding decisions, risk events, dispute outcomes, and administrative actions are logged with immutable timestamps and retained per network and regulatory requirements.

  • Incident response

    Documented incident-response runbooks, on-call rotations, and post-incident review with published learnings to affected customers.

Trust

Security and compliance

Effective May 25, 2026. For questions, contact risk@veyragate.com.

Josh Petro LLC (“Veyra”) operates a merchant operations platform that processes sensitive merchant and consumer information. This page describes how we approach security, the controls we have in place, and how we coordinate with our processing partners and regulators. It is intended to give merchants, prospective customers, and their auditors a structured view of our program.

Card data and tokenization

Card data is processed within a PCI-certified token vault operated by approved partners and never traverses Veyraapplication servers in raw form. Card primary account numbers (PANs) are not stored on our infrastructure and are not accessible to our application code. Our integration is structured so that PAN data flows directly between the cardholder's browser or terminal and the processing partner through validated tokenization libraries. Where we hold pointers to payment methods, those pointers are partner-issued tokens.

Encryption

  • In transit:all public traffic is served over TLS 1.2 or higher with modern cipher suites. Internal service-to-service traffic is encrypted within our infrastructure provider's isolated network and uses mutual TLS where supported.
  • At rest: application databases, object storage, and backups are encrypted at rest using AES-256 with provider-managed keys. Sensitive fields, including government identifiers collected during merchant verification, are additionally encrypted at the application layer.
  • Secrets: credentials and API keys are stored in a managed secrets service with audited access and per-environment scoping. Access tokens follow a least-privilege model and are rotated regularly.

Identity, access, and key management

  • Single sign-on with required multi-factor authentication for all internal staff accessing production systems.
  • Role-based access control with quarterly access reviews. Production access is granted on a least-privilege basis and is auditable end-to-end.
  • Hardware-backed authenticators are required for privileged operations. Personal long-lived credentials are not permitted.

Monitoring and detection

  • Centralized application, infrastructure, and audit logs with retention aligned to regulatory and card-network requirements.
  • Risk monitoring with documented baselines, velocity controls, and structured case management for suspicious-activity escalation.
  • Continuous OFAC, UN, EU, and HMT sanctions screening on principals and entities, with adverse-media monitoring and re-screening cadence.
  • Anomaly detection on authentication, API usage, and administrative actions, with paging integration into our on-call rotation.

Vulnerability management

  • Automated dependency scanning across application and infrastructure code with policies on patch SLA by severity.
  • Static analysis on every pull request, with required code review and CI gating before merge to protected branches.
  • Periodic third-party penetration testing of the platform and its public surfaces. Findings are tracked through remediation in our risk register.
  • Coordinated disclosure: security researchers may report vulnerabilities to risk@veyragate.com. We acknowledge reports within two business days and work cooperatively with reporters under a good-faith policy.

Resilience and incident response

  • Architected for high availability across multiple availability zones, with defined recovery-time and recovery-point objectives by tier.
  • Documented incident-response runbooks, on-call rotations, and post-incident review with published learnings to affected customers.
  • Backup and restore procedures tested on a recurring schedule. Settlement and ledger reconciliation are validated continuously.

Webhook signing

Veyra signs every outbound webhook with HMAC over the request body using a per-tenant secret. Verifiers compare the provided signature to a fresh HMAC over the received body within a bounded timestamp window. Implementation references and code samples are published in our developer documentation.

Compliance program

  • SOC 2: our control plane is governed by a SOC 2 program currently in progress. Reports will be available under NDA upon completion.
  • PCI DSS:the platform's scope is reduced through a PCI- certified token vault operated by approved processing partners; we maintain SAQ-A-equivalent obligations and are aligned to PCI DSS v4.0 requirements applicable to our role.
  • NIST CSF 2.0: our internal control framework is structured against the NIST Cybersecurity Framework, with mappings maintained for cross- reference to other standards.
  • Customer due diligence: merchant verification aligned with FinCEN guidance and the operating rules of our processing and sponsor-bank partners.

Data residency and processors

Personal information is processed in the United States. Where processors are involved — including identity-verification, sanctions-screening, transaction- monitoring, and cloud-infrastructure providers — we maintain written agreements that include confidentiality, security, and breach-notification obligations consistent with applicable law.

Reporting concerns

Suspected security issues: risk@veyragate.com.
Compliance concerns: risk@veyragate.com.
General support: risk@veyragate.com.