Security

Your payment data, handled with care

Axin is built for enterprises that take data security seriously. Here is exactly how we protect your information. No vague promises, just architecture.

Foundations

Four pillars of data protection

These aren't features we bolted on. They're structural decisions baked into how Axin works.

Row-Level Security (RLS)

Tenant isolation at the database level

Every merchant's data is isolated using PostgreSQL Row-Level Security (RLS) policies. Queries are scoped to a single tenant at the database layer, not the application layer. Even if application code has a bug, the database enforces the boundary.

Zero PAN exposure

We never store card numbers

Axin ingests event metadata from your PSPs: transaction outcomes, fee breakdowns, 3DS results, settlement records. We never receive, transmit, or store raw card numbers (PANs). The only card-related data we hold are tokenized references that your PSP already exposes.

No write access to PSPs

Read-only webhook access

We connect to your PSPs through webhooks and read-only API calls. Axin cannot initiate payments, modify configurations, or take any action on your PSP accounts. Our access is strictly observational. We receive data, we never write back.

Practices

How we operate

Security is a practice, not a checkbox. These are the standards we hold ourselves to every day.

Webhook signature verification

Every incoming webhook is verified against PSP-specific HMAC signatures before processing. Unsigned or tampered payloads are rejected.

Minimal data collection

We only ingest the data needed for analytics. We don't collect cardholder PII, and we strip unnecessary fields during normalization.

Audit-ready architecture

Every change links to a tracked ticket. Branch protections, code review requirements, and CI gates are enforced on every commit.

Questions about our security practices? Reach us at contact@get-axin.com.