Skip to main content
OptiPay

Security at OptiPay

Protecting your financial data is our top priority. We use modern, industry-standard security technology to keep your data safe.

Encryption in transit and at rest

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are managed securely and rotated periodically.

Two-factor authentication (2FA)

An extra layer of protection for your account with two-factor authentication. Supports authenticator apps and SMS codes.

Secure cloud infrastructure

We host on leading cloud infrastructure certified to international standards, including SOC 2 and ISO 27001 (these certifications belong to our infrastructure providers, Supabase, Vercel, not to OptiPay directly).

Monitoring and access control

24/7 monitoring systems detect suspicious activity in real time. Every access to data is logged and audited.

Security reviews & verifications

We passed an external CASA Tier 2 security assessment, and the app is verified by both Google (OAuth app verification) and Microsoft (verified publisher). We also run automated security scans in our CI pipeline and perform periodic security reviews.

Backup and recovery

Encrypted automated backups run every day. We target availability of 99.9% or higher, with an RTO goal of 2 hours or less and an RPO goal of 24 hours or less.

Compliance

Passed external CASA Tier 2 security assessment
Google-verified app (OAuth) and Microsoft verified publisher
GDPR: the EU General Data Protection Regulation
The Israeli Protection of Privacy Law, 5741-1981
The Protection of Privacy Regulations (Data Security), 5777-2017
PCI DSS: card data is processed by Stripe under PCI DSS; we never store card numbers

Sub-processors

The following providers process personal data on our behalf. Each provider is bound by a Data Processing Agreement (DPA) with EU Standard Contractual Clauses (SCCs), or under the Data Privacy Framework, depending on the region of operation. We will give at least 30 days' notice of any change, by email or via an in-app banner.

Provider
Use
Region
Supabase
Managed database (Postgres), authentication, file storage
European Union: eu-west-1 (Ireland)
Vercel
Application hosting and global CDN
Functions pinned to fra1 (Frankfurt); CDN on global edge locations
Stripe
Subscription billing and invoicing
United States, with data residency in Europe for European customers
Upstash
Rate limiting and caching (Redis)
Global, multi-region
Sentry
Error and performance monitoring
United States
Google
OAuth, transactional email (account verification, sign-in links and password resets) via the Google Workspace SMTP relay, and the Gmail API (Gmail access only if you connect your Gmail account)
United States: under Google Limited Use
Hetzner
Self-hosted n8n automations (OCR, integrations, WhatsApp)
Germany (Falkenstein / Nuremberg)
PostHog
Product analytics (optional, subject to your consent via the cookie banner)
European Union: EU cluster
Meta (WhatsApp Cloud API)
WhatsApp phone-number verification and sending/receiving receipts (only if you connect the WhatsApp channel)
European Union (per the WhatsApp Business policy)

Last updated: May 24, 2026

Found a security vulnerability? Report it responsibly at security@optipay.co.il