Your data is safe with us
Security isn't a feature we ship — it's the foundation we build on. Here's exactly how Savby protects your business and your customers' payment information.
Encryption at rest & in transit
All data is encrypted at rest using AES-256-GCM. Every connection between your browser, our API, and our database uses TLS 1.3. Sensitive token material is encrypted with a per-tenant key derived from a hardware security module (HSM).
SOC 2-aligned infrastructure
Our engineering and operational practices are aligned with the SOC 2 Type II trust-service criteria for security, availability, and confidentiality. We undergo regular third-party penetration testing and vulnerability assessments.
No raw card data
Savby never stores, transmits, or logs raw card numbers, CVVs, or cardholder authentication secrets. We work exclusively with the payment tokens and metadata provided by your payment processor — keeping you firmly out of PCI scope.
Infrastructure & availability
Our services run on enterprise-grade cloud infrastructure across multiple availability zones. We use automated failover, daily backups with 30-day retention, and continuous uptime monitoring with a public status page.
Access controls & audit logs
Every API call, authentication event, and data-access operation is logged and immutably stored. Role-based access controls ensure only authorised personnel can access production systems, and all access is reviewed quarterly.
Responsible disclosure
If you've discovered a potential security vulnerability, please report it responsibly to security@savby.io. We aim to acknowledge reports within 24 hours and resolve confirmed issues within 90 days. We do not pursue legal action against researchers who follow responsible disclosure guidelines.
Last updated: March 2026