Heading
← Back to legal documents
Security
At Fidel API, protecting sensitive payment data isn’t just a compliance requirement—it’s embedded in our engineering culture, our decision-making, and our relationships with partners and developers.
We take a security-by-design approach, continuously investing in the technology, processes, and people needed to meet the highest security standards and stay ahead of evolving threats. Our commitment is simple: your data is safe with us.
If you have specific security questions, please reach out to us at security@fidelapi.com.
We take a security-by-design approach, continuously investing in the technology, processes, and people needed to meet the highest security standards and stay ahead of evolving threats. Our commitment is simple: your data is safe with us.
If you have specific security questions, please reach out to us at security@fidelapi.com.
Protecting Customer Data
Fidel API is PCI DSS Level 1 certified, the highest level of certification in the payment industry. We undergo annual audits by independent Qualified Security Assessors (QSAs) to validate our controls and ensure we handle cardholder data in full compliance with PCI DSS standards.
Card Tokenization by Default
When a card is linked via our secure SDK, the data is encrypted in transit using bank-level TLS encryption. We never store raw card details—only secure tokens. These tokens are safely transmitted to payment networks, which notify us of transactions initiated by consenting customers
When a card is linked via our secure SDK, the data is encrypted in transit using bank-level TLS encryption. We never store raw card details—only secure tokens. These tokens are safely transmitted to payment networks, which notify us of transactions initiated by consenting customers
Data Encryption & Storage
All sensitive data is encrypted at rest and in transit. Personal data is stored only when necessary and always on secure, access-controlled infrastructure with audit logging enabled.
All sensitive data is encrypted at rest and in transit. Personal data is stored only when necessary and always on secure, access-controlled infrastructure with audit logging enabled.
Testing, Monitoring & Resilience
Ongoing Penetration Testing
We partner with certified third-party firms to conduct annual penetration testing and threat modeling exercises to uncover vulnerabilities before they become issues.
We partner with certified third-party firms to conduct annual penetration testing and threat modeling exercises to uncover vulnerabilities before they become issues.
Routine Security Reviews
Our team performs nightly automated tests and internal code reviews as part of our secure SDLC. Security checks are integrated into our CI/CD pipelines to prevent regressions.
Our team performs nightly automated tests and internal code reviews as part of our secure SDLC. Security checks are integrated into our CI/CD pipelines to prevent regressions.
Infrastructure Monitoring
We use centralized logging and threat detection tools to continuously monitor application, system, and network activity across all environments.
We use centralized logging and threat detection tools to continuously monitor application, system, and network activity across all environments.
Access Management & Controls
Least-Privilege Access
Role-based access controls (RBAC) and strict data segmentation are enforced at every layer. All access to production environments requires MFA and is logged and reviewed.
Role-based access controls (RBAC) and strict data segmentation are enforced at every layer. All access to production environments requires MFA and is logged and reviewed.
Authentication Standards
All API requests must use strong authentication. We employ hashed headers and timestamps to ensure integrity, prevent tampering, and mitigate replay attacks.
All API requests must use strong authentication. We employ hashed headers and timestamps to ensure integrity, prevent tampering, and mitigate replay attacks.
Network Security
All communications are encrypted with high industry-standard. Internal and external traffic is controlled through VPNs, firewalls, and application-layer protections.
All communications are encrypted with high industry-standard. Internal and external traffic is controlled through VPNs, firewalls, and application-layer protections.
Security Governance & Culture
Security Is Everyone’s Responsibility
Security is part of our DNA—from the way we build features to how we train employees. Every team member receives security onboarding and regular awareness training.
Security is part of our DNA—from the way we build features to how we train employees. Every team member receives security onboarding and regular awareness training.
Transparency with Partners
We share our Attestation of Compliance (AOC) annually with our enterprise partners and customers. Our clear documentation, audit reports, and trust center empower you to conduct your own due diligence with confidence.
We share our Attestation of Compliance (AOC) annually with our enterprise partners and customers. Our clear documentation, audit reports, and trust center empower you to conduct your own due diligence with confidence.
Certifications & Roadmap
In addition to PCI DSS, we are actively pursuing ISO/IEC 27001 and SOC 2 Type II certifications to further mature our security program and governance framework.
In addition to PCI DSS, we are actively pursuing ISO/IEC 27001 and SOC 2 Type II certifications to further mature our security program and governance framework.