Security & trust

Built to handle real money. Documented like it.

MerchantLayer touches merchant payment data and customer ACH authorizations. Our security model is designed to keep both safe — and to give your security team a clear, honest answer to every reasonable question.

Built to SOC 2-ready standards

We follow the SOC 2 Common Criteria for the controls that matter to a merchant: access management, change control, vulnerability management, encryption, and incident response. Formal SOC 2 Type 2 certification is on our roadmap. Email us for our current security questionnaire.

Encryption in transit and at rest

All traffic is TLS 1.2+. Stripe Connect tokens, ACH authorizations, and customer PII are encrypted at rest with AES-256-GCM. Database backups are encrypted; encryption keys are rotated and managed in Vercel KMS.

Stripe is our PCI boundary

MerchantLayer never stores raw card numbers. Card data is tokenized by Stripe; we hold only the Stripe customer/payment-method tokens. ACH bank data is collected via Stripe Financial Connections — your customer's credentials never touch our servers.

Least-privilege access

Engineering access to production is gated by SSO + hardware MFA. Production database access is restricted, audit-logged, and reviewed quarterly. No customer data is ever pulled into local dev environments.

Hosted on Vercel

Edge serverless on Vercel for the marketing site and merchant dashboard. Stripe webhooks verified with HMAC-SHA256. Background jobs run with isolated service credentials, no shared secrets.

Audit trails on money movement

Every Stripe charge, ACH authorization, and installment-plan signature is recorded with timestamp, IP, user agent, and the agreement hash. Audit logs are immutable and retained for the lifetime of the account.

Subprocessors

We use a small set of third-party services to operate MerchantLayer. Each is contracted with appropriate data protection terms.

Vendor

Purpose

Data category

Stripe

Payment processing, ACH, PCI vault, Stripe Connect

Payment + tokenized card / ACH

Stripe Financial Connections

Bank account verification + ACH authorization

Bank account metadata (no credentials)

Vercel

Hosting, edge functions, analytics

Operational logs + analytics events

Shopify

OAuth-scoped merchant API access

Merchant store metadata

AWS (us-east-1)

Encrypted database storage via Vercel Postgres

Encrypted application data

Resend

Transactional email (payment notifications)

Customer email + branded message

We notify customers via the changelog at least 30 days before adding a new subprocessor with access to customer data. Last updated April 2026.

Found a vulnerability?

We take responsible disclosure seriously. Email us at the address below with reproduction steps and we'll respond within one business day. We don't run a public bug-bounty program yet, but we publicly credit researchers who help us in the changelog.

security@merchantlayer.io

Need our security questionnaire?

We maintain answers to the SIG Lite, CAIQ, and a custom merchant-friendly questionnaire. Email us with your security team CC'd and we'll send the latest version, no NDA required for the standard one.

Request the questionnaire