Short version: card data never touches us or you — it goes straight to PCI-DSS Level 1 infrastructure. Here's the longer version.
✓PCI-DSS Level 1. Payments run on UniPaaS's certified Level 1 infrastructure — the highest level of the card-industry security standard, audited annually. Your app never handles card numbers; the hosted and embedded checkouts keep you out of PCI scope entirely.
✓Scoped access tokens. The key emailed to you can do exactly one thing: create checkouts. It cannot move funds, read balances or change your account. Portal access uses separate short-lived sessions with email one-time codes — we never ask for passwords.
✓TLS everywhere, secrets server-side. All traffic is encrypted in transit. Platform keys are never exposed to browsers or agents — the public API and MCP server keep secrets on our side by design.
✓3-D Secure & fraud screening. Card payments run through 3DS2 where required (UK/EU SCA) and UniPaaS's transaction monitoring on J.P. Morgan settlement rails.
✓Found a vulnerability? Email oded@unipaas.com — it lands with the CTO. We respond fast and we don't shoot messengers.