Your payment data, handled with care
Axin is built for enterprises that take data security seriously. Here is exactly how we protect your information. No vague promises, just architecture.
Four pillars of data protection
These aren't features we bolted on. They're structural decisions baked into how Axin works.
Tenant isolation at the database level
Every merchant's data is isolated using PostgreSQL Row-Level Security (RLS) policies. Queries are scoped to a single tenant at the database layer, not the application layer. Even if application code has a bug, the database enforces the boundary.
We never store card numbers
Axin ingests event metadata from your PSPs: transaction outcomes, fee breakdowns, 3DS results, settlement records. We never receive, transmit, or store raw card numbers (PANs). The only card-related data we hold are tokenized references that your PSP already exposes.
Read-only webhook access
We connect to your PSPs through webhooks and read-only API calls. Axin cannot initiate payments, modify configurations, or take any action on your PSP accounts. Our access is strictly observational. We receive data, we never write back.
How we operate
Security is a practice, not a checkbox. These are the standards we hold ourselves to every day.
Webhook signature verification
Every incoming webhook is verified against PSP-specific HMAC signatures before processing. Unsigned or tampered payloads are rejected.
Minimal data collection
We only ingest the data needed for analytics. We don't collect cardholder PII, and we strip unnecessary fields during normalization.
Audit-ready architecture
Every change links to a tracked ticket. Branch protections, code review requirements, and CI gates are enforced on every commit.
Questions about our security practices? Reach us at contact@get-axin.com.