Security and privacy are main priorities for MoonPay. Our security policies and measures are constantly reviewed to ensure they are up to date and compliant with the industry standards.
All data sent to or from MoonPay's infrastructure is encrypted in transit using Transport Layer Security (TLS) version 1.2 or later, and secured against downgrade attacks using a robust HTTP Strict Transport Security (HSTS) policy. MoonPay's SSL Labs report is available here.
All MoonPay data is encrypted at rest using AES-256 block-level storage encryption and stored in ISO27001 and PCI DSS compliant datacenters.
Business Continuity and Disaster Recovery
MoonPay backs up its critical assets and regularly attempts to restore backups to test the processes in place, guaranteeing a safe and fast recovery in case of disaster. Backups are encrypted using AES with 256-bit keys and stored in ISO27001 and PCI DSS compliant datacenters.
MoonPay has at its disposal processes and tooling that enables us to continuously deliver secure software to our cloud infrastructure and applications. Code changes are deployed to our production environment multiple times every day.
All code changes go through a code review process and require at least one approval from a different member of the engineering team.
MoonPay's security team works hand to hand with the engineering teams to provide assistance during the different stages of the software development lifecycle (SDLC).
MoonPay engineers participate in regular security trainings to learn about common vulnerabilities and secure development practices.
MoonPay's continuous integration (CI) pipeline automatically performs static application security testing (SAST) on code changes to detect insecure code patterns.
MoonPay has tooling in place to automatically update vulnerable and outdated dependencies.
MoonPay uses error tracking solutions in the applications' front and back ends to detect potential attacks and vulnerabilities.
Security Monitoring and Protection
We use security monitoring solutions to obtain visibility into our organization security, identify attacks and quickly respond to security incidents.
We use use error monitoring, alerting and anomaly detection technologies in all our production systems.
We collect logs and retain them during at least one year, to provide an audit trail of our systems activity.
MoonPay employees are required to use company-provided devices that are managed through a mobile device management solution. This allows our security and IT teams to enforce security policies, deploy other endpoint protection solutions and wipe devices remotely.
All employees are enforced to use Single Sign-On, and Multi-Factor Authentication to access third party applications and services.
MoonPay is compliant to the General Data Protection Regulation (GDPR), ensuring that all customer and employee personal information is treated with the highest level of security and in a lawful manner.
All payment information is processed and stored following the strict Payment Card Industry Data Security Standards (PCI DSS).
Bug Bounty Program
As part of our commitment to security, we maintain a bug bounty program on HackerOne, that allows us to reward security researchers for reporting to us vulnerabilities in our applications and infrastructure. MoonPay strongly believes in the value of collaborating with the security community to continuously test and improve the security of our platform.
If you have discovered a vulnerability on MoonPay, we encourage you to report it through our bug bounty program at https://hackerone.com/moonpay.