Security and privacy are main priorities for MoonPay. Our security policies and measures are constantly reviewed to ensure they are up to date and compliant with the industry standards.
All data sent to or from MoonPay's infrastructure is encrypted in transit using Transport Layer Security (TLS) version 1.2 or later, and secured against downgrade attacks using a robust HTTP Strict Transport Security (HSTS) policy. MoonPay's SSL Labs report is available here.
All MoonPay data is encrypted at rest using AES-256 block-level storage encryption and stored in ISO27001 and PCI DSS compliant datacenters.
Business Continuity and Disaster Recovery
MoonPay backs up its critical assets and regularly attempts to restore backups to test the processes in place, guaranteeing a safe and fast recovery in case of disaster. Backups are encrypted using AES with 256-bit keys and stored in ISO27001 and PCI DSS compliant datacenters.
MoonPay has at its disposal processes and tooling that enables us to continuously deliver secure software to our cloud infrastructure and applications. Code changes are deployed to our production environment multiple times every day.
- All code changes go through a code review process and require at least one approval from a different member of the engineering team.
- MoonPay's security team works hand to hand with the engineering teams to provide assistance during the different stages of the software development lifecycle (SDLC).
- MoonPay engineers participate in regular security trainings to learn about common vulnerabilities and secure development practices.
- MoonPay's continuous integration (CI) pipeline automatically performs static application security testing (SAST) on code changes to detect insecure code patterns.
- MoonPay has tooling in place to automatically update vulnerable and outdated dependencies.
- MoonPay uses error tracking solutions in the applications' front and back ends to detect potential attacks and vulnerabilities.
Security Monitoring and Protection
- We use security monitoring solutions to obtain visibility into our organization security, identify attacks and quickly respond to security incidents.
- We use use error monitoring, alerting and anomaly detection technologies in all our production systems.
- We collect logs and retain them during at least one year, to provide an audit trail of our systems activity.
MoonPay employees are required to use company-provided Apple devices, and are managed through a mobile device management solution. This allows our security and IT teams to enforce security policies, deploy other endpoint protection solutions and wipe devices remotely.
All employees are enforced to use Single Sign-On, and Multi-Factor Authentication to access third party applications and services.
MoonPay is compliant to the General Data Protection Regulation (GDPR), ensuring that all customer and employee personal information is treated with the highest level of security and in a lawful manner.
All payment information is processed and stored following the strict Payment Card Industry Data Security Standards (PCI DSS).
Bug Bounty Program
MoonPay maintains a private bug bounty program hosted on Bugcrowd, which gives our engineering teams the ability to leverage the power of the security research community to continuously test the security of our platform.
To be invited to our bug bounty program, it is required to report a valid vulnerability through our Vulnerability Disclosure Program submission form. Your report will be reviewed and potential new participants will be considered on a case by case basis.
Vulnerability Disclosure Program
If you are a security researcher and would like to let us know about any potential vulnerabilities on our systems you can do it by filling out and submitting the form below. Your report will be acknowledged within three working days.
Please limit security testing to your own data and accounts and avoid interacting with data belonging to other MoonPay customers. Any automated testing that could lead to data destruction or affect the availability of MoonPay's services should be avoided.