Company · Security

We handle money. That buys us one excuse for a security incident: none.

Tapped runs on certified kernels, per-tenant key isolation, and a pipeline of independent audits. This page is the long version, certifications, architecture, disclosure terms, and how to reach us if you find something.

PCI-DSS L1SOC 2 Type IIISO/IEC 27001EMV L3PCI PINPCI 3DS

Certifications & attestations

Every certification here is held by Tapped directly, not by an upstream processor we resell. AoCs are available to prospects and customers under NDA; ask your account team or email hello@tapped.cc.

Card data

PCI-DSS Level 1

Full-scope merchant acquirer and service provider; validated by a Qualified Security Assessor annually.

Last auditMar 2026
Controls

SOC 2 Type II

Security, Availability, Confidentiality, and Processing Integrity. 12-month observation window, no exceptions.

Last reportFeb 2026
ISMS

ISO/IEC 27001:2022

Information security management system covering development, operations, and customer support across every office.

CertifiedNov 2025
EMV

EMV Level 3 (SPoC & CPoC)

Contactless kernels certified directly with Visa, Mastercard, JCB, UnionPay, and American Express.

Letters on file5 schemes
Cardholder PIN

PCI PIN Security

PIN-on-Glass implementation on every supported iOS and Android device, assessed against PCI PIN v3.1.

Last auditJan 2026
Auth

PCI 3DS Core

3-D Secure 2.x server and ACS components are PCI 3DS Core assessed; frictionless flows tuned per scheme.

CertifiedSep 2025
Privacy

GDPR, PDPA, APPI

DPAs available for all three frameworks. Standard Contractual Clauses in place for EU data transfers; APAC residency configurable per region.

DPA pageRead →
Assurance

Independent pentests

Two external firms, annually, covering the platform API, dashboard, mobile kernels, and reconciliation pipelines. Executive summaries shared with customers on request.

ScheduleQ2 · Q4

The four pillars of how Tapped is built.

A certification page tells you we passed. This one tells you why. The same four ideas appear in every architectural review, hire, and vendor contract we make.

01 · Isolation

Per-tenant keys, per-market residency.

Platforms share infrastructure, not cryptographic keys. Enterprise plans add customer-managed keys (BYOK) with key rotation logged to your own CloudTrail-equivalent audit sink.

  • AWS KMS + Google Cloud KMS dual-region envelopes
  • Per-platform HSM slots for PIN & sensitive auth data
  • Data residency selectable in SG / JP / HK / SG-backup
  • Independent access control for each market’s operations team
02 · Defence in depth

Every path is authenticated, signed, and auditable.

There is no internal network shortcut. Service-to-service calls use mTLS plus short-lived SPIFFE identities. Every database mutation is emitted to a tamper-evident audit log.

  • Request signing on every platform API call (HMAC-SHA256)
  • Webhook signatures with rotating secrets + replay windows
  • Audit log stream exposed to customers via Tap Ledger export
  • Zero-standing-access posture for engineers, JIT elevation only
03 · Availability

Multi-region by default. Quarterly game days.

The auth path is active-active across two APAC regions. Settlement, reporting, and the dashboard degrade gracefully. We run regulator-witnessed DR exercises every quarter.

  • 99.995% target on card-present authorisation
  • Automated region failover in < 90 seconds
  • Public status page at status.tapped.cc with component granularity
  • Subscription to signed incident emails + RSS feed
04 · Secure development

Shift left, but with teeth.

Security is a product team, not a gatekeeper. Every pull request goes through static analysis, dependency scanning, and an automated threat-model diff for security-sensitive surfaces.

  • Signed commits + reproducible builds on all kernel firmware
  • SBOMs published for every SDK release
  • Supply-chain monitoring with Sigstore + in-house vendor attestation
  • Weekly red-team exercise against a staging mirror of production

Controls reference.

The short version of what a security-review questionnaire will ask. Full control matrix is in the Tapped Trust Centre, available under NDA.

Control areaHow Tapped implements it
Encryption at restAES-256 GCM with per-tenant data-encryption keys wrapped by KMS. Customer-managed keys (BYOK) on Enterprise plans.
Encryption in transitTLS 1.3 with modern ciphers; internal services use mutual TLS via SPIFFE workload identities. Certificate pinning on mobile SDKs.
Key managementFIPS 140-2 Level 3 HSMs for PIN and card cryptography. Automatic key rotation on a 90-day cadence; emergency rotation under 30 minutes.
Identity & accessSSO (SAML 2.0, OIDC) for the dashboard; SCIM provisioning; hardware-token MFA enforced for all Tapped employees with production access.
NetworkPrivate VPC per environment, no public service endpoints, WAF + L7 rate-limiting in front of every edge, quarterly firewall rule review.
Monitoring & detectionCentralised log pipeline with a 13-month retention minimum; SIEM correlation rules tuned for card-data anomaly detection; on-call rotation answers within 5 minutes.
Backup & recoveryContinuous backup with point-in-time recovery to 5-minute granularity. RPO < 5 minutes, RTO < 30 minutes, tested quarterly.
Vendor securityTiered third-party review, Tier-1 vendors reviewed annually with SOC 2 / ISO 27001 required, sub-processor list published.
Personnel securityPre-employment background checks (where legally permitted) and annual security training; separation of duties enforced via role-based access.
Data deletionCustomer-initiated deletion completes within 30 days across production and backups; tombstones prevent accidental re-creation.

Report a vulnerability.

We publish and practise a coordinated-disclosure policy. Security researchers who act in good faith, respecting user privacy, avoiding data destruction, and not monetising findings before we’ve shipped a fix, will not face legal action from Tapped. We’ll work with you on timing, credit, and where applicable a bounty.

Scope: the Tapped platform API (api.tapped.cc), the merchant dashboard (dashboard.tapped.cc), developer documentation (developers.tapped.cc), and the Tap Terminal SDK for iOS and Android. Out of scope: social-engineering attempts against staff, denial-of-service, physical attacks against offices, and testing against any other domain we operate.

Default timeline: 90 days from the date of first valid report; we may request an extension for kernel-level issues that require scheme re-certification and will communicate a target publication date.

How to reach us

Email
hello@tapped.cc
PGP key
0xAB12 CD34 EF56 7890
security.txt
/.well-known/security.txt
Response time
< 24 hours, 7 days a week
Bounty programme
Invite-only; ask in first email
Security & trust

Need a deeper dive?

Architecture diagrams, penetration-test executive summaries, SOC 2 reports, and the control matrix are all available to prospects and customers under NDA, ask your account team or email security directly.

Talk to security PCI details