Security & how it works
latchpay sits in the middle of other people's money. That's a responsibility we engineer for at every layer — the product, the infrastructure beneath it, and the independent verification that proves it.
Controls in the path of every payout.
Every payout passes configurable approval policy, velocity limits, and sanctions screening before a single rail is touched. No payout moves on a single actor's say-so.
Requests are idempotency-keyed and HMAC-signed. Replays are rejected, duplicate runs are impossible, and every call is attributable to a scoped key.
Role-based access, scoped API keys, and mandatory MFA. Production access is just-in-time, approved, and fully logged.
A hardened base that holds funds 1:1.
Customer funds are held 1:1 in segregated accounts at regulated banking partners, never commingled with operating capital and never lent out.
TLS 1.2+ in transit and AES-256 at rest. Keys are managed in an HSM-backed KMS with strict rotation and split-knowledge custody.
Immutable audit logs, real-time anomaly detection on payout patterns, and a tested incident-response runbook with a 24/7 on-call rotation.
Don't take our word for it.
SOC 2 Type II and PCI DSS Level 1 assessed annually by independent third parties. Reports available under NDA from your account team.
External pen tests run at least annually and before major releases. Findings are tracked to remediation with verification.
We welcome reports from security researchers. Disclose a vulnerability and we'll respond fast — security@latchpay.com.
Request the controls overview and a SOC 2 report walkthrough with our team.