Issued by Krepling Inc.
Effective Date: 20th June 2025
This Security Policy outlines the technical, operational, and organizational measures Krepling Inc. (“Krepling”) implements to safeguard the integrity, confidentiality, and availability of data processed through Krepling Pay. This policy supports compliance with applicable data protection laws and payment industry standards.
What This Means:
This document explains how we protect your data and systems when you use Krepling Pay.
This policy applies to:
All Krepling Pay systems, infrastructure, and APIs
All data processed through Krepling Pay (merchant, customer, transaction data)
All employees, contractors, and third-party vendors with system access
What This Means:
Everyone and everything involved with Krepling Pay is expected to follow these security rules.
Krepling maintains compliance with:
PCI DSS (Payment Card Industry Data Security Standard)
SOC 2 Type II control objectives
GDPR and CCPA security provisions
Sponsor bank security guidelines (Wells Fargo, Synovus, Deutsche Bank)
What This Means:
We meet the highest international and industry security standards.
All sensitive data is encrypted in transit using TLS 1.2 or higher.
Data at rest is encrypted using AES-256.
Key management follows NIST standards and includes restricted access and rotation protocols.
What This Means:
We encrypt your data at all times to keep it safe from unauthorized access.
All sensitive data is encrypted in transit using TLS 1.2 or higher.
Data at rest is encrypted using AES-256.
Key management follows NIST standards and includes restricted access and rotation protocols.
What This Means:
We encrypt your data at all times to keep it safe from unauthorized access.
Role-based access is enforced across all systems.
Multi-factor authentication (MFA) is required for system access.
Access logs are monitored and retained for audit purposes.
What This Means:
Only the right people can access your data, and we track who does what.
Krepling uses tokenization to store customer payment credentials securely.
Cardholder data is never stored in raw form.
Tokens are environment-isolated and cannot be reused outside Krepling systems.
What This Means:
We replace sensitive data like card numbers with secure tokens to reduce risk.
Firewalls and intrusion detection systems (IDS) are in place.
Regular vulnerability scanning and penetration testing is conducted.
Infrastructure is hosted on secure, audited cloud platforms (e.g., AWS, GCP).
What This Means:
Our infrastructure is hardened and tested regularly to block hackers and threats.
All code is reviewed and tested before release.
Static and dynamic application security testing (SAST/DAST) is integrated into CI/CD pipelines.
Regular security audits are conducted by internal and external teams.
What This Means:
We build and review our software with security in mind at every stage.
Krepling monitors systems 24/7 for suspicious activity.
Incidents are triaged, investigated, and responded to using an established playbook.
Breaches are reported within 72 hours per GDPR and other laws.
What This Means:
We’re always watching for threats and ready to act quickly if something goes wrong.
All third-party providers undergo security due diligence.
Contracts require compliance with Krepling’s security standards.
Access to data is strictly limited and monitored.
What This Means:
We vet every vendor to make sure they also keep your data safe.
Data centers used by Krepling follow SOC 2 and ISO/IEC 27001 standards.
Physical access is controlled using biometric or badge-based systems.
Onsite access is logged and audited.
What This Means:
Our data centers are protected by strong physical security measures.
All employees complete mandatory security awareness training.
Additional role-specific training is provided for engineering, support, and compliance teams.
Regular phishing simulations and testing are conducted.
What This Means:
Our staff are trained to spot and stop security threats before they become a problem.
Systems are architected with redundancy and failover capabilities.
Daily data backups are encrypted and stored in separate regions.
Disaster recovery plans are tested annually.
What This Means:
If something breaks, we have backups and plans in place to keep services running.
This policy is reviewed annually and updated as needed.
Changes are communicated to all relevant stakeholders.
What This Means:
We review this policy every year to keep it up to date with new threats.
For questions or security concerns, contact:
Email: security@krepling.com
What This Means:
You can contact us if you have any concerns about security or need help.
© 2025 Krepling Pay
Krepling Pay is a global payment gateway offering services through its subsidiaries and licensed partners. Payment processing and money transmission services are provided in accordance with local licensing requirements, regulatory frameworks, and financial conduct standards. In the United States, such services are offered through Krepling Inc., which maintains compliance with applicable federal and state money transmission laws. For licensing details and regulatory disclosures, please visit our Legal page.
