Security and privacy are top priorities at MoonPay. We put our customers and partners safety first while emphasizing user ownership.
MoonPay remains a non-custodial agent in all customer dealings. MoonPay does not custody any customer funds purchased on the platform and transfers assets directory to/from customer directed wallets. Most transactions are completed without access to a customer’s wallet. If the customer does not already have a wallet, a wallet may be created for them on the MoonPay platform, but the keys are only accessible to the user and escrowed away from all MoonPay employees.
Payment & Customer Data
All data sent to or from MoonPay's infrastructure is encrypted in transit using Transport Layer Security (TLS) version 1.2 or later. All MoonPay data is encrypted at rest using AES-256 block-level storage encryption and stored in ISO27001 and PCI DSS compliant data centers. MoonPay is compliant to the General Data Protection Regulation (GDPR), ensuring that all customer and employee personal information is treated with the highest level of security and in a lawful manner. All payment information is processed and stored following the strict Payment Card Industry Data Security Standards (PCI DSS).
MoonPay employs processes and tooling to continuously deliver secure software to our cloud infrastructure and applications. All code changes go through a code review process and are subject to static application security testing (SAST) to detect insecure code patterns. All dependencies are automatically updated and MoonPay's security team works hand in hand with engineering teams to provide assistance during the different stages of the software development lifecycle (SDLC). MoonPay engineers participate in regular security training to educate about common vulnerabilities and secure development practices.
MoonPay employees are required to use company-provided devices that are managed through a mobile device management solution. This allows our security and IT teams to enforce security policies, deploy other endpoint protection solutions and manage devices remotely. All employees are enforced to use Single Sign-On, and Multi-Factor Authentication to access third party applications and services. Employees are subject to background checks prior to employment and receive training on security guidelines. Employees are held to stringent security standards and interface regularly with the Security team.
Bug Bounty Program
As part of our commitment to security, we welcome vulnerability submissions through our bug bounty program on HackerOne. MoonPay strongly believes in the value of collaborating with the security community to continuously test and improve the security of our platform. If you have discovered a vulnerability on MoonPay, we encourage you to report it through our bug bounty program at hackerone.com/moonpay.Report here