Security Policy

Security is treated as a first-class engineering and product concern at Cenoa. Our security program is aligned with industry frameworks including SOC 2, ISO/IEC 27001, and PCI-DSS. We engage independent third parties for annual audits and continuous penetration testing.

All traffic to and from Cenoa is encrypted in transit using TLS 1.2 or higher with modern cipher suites. Sensitive data at rest is encrypted using AES-256 with keys managed in a hardware-backed key management service. Backup volumes inherit the same encryption settings as primary storage.

Customer accounts support strong passwords (length and breach checks), session management with refresh-token rotation, and optional multi-factor authentication via TOTP authenticator apps. Staff access to production systems requires hardware security keys, single sign-on, and is brokered through a privileged-access platform that records every session.

Cenoa runs on hardened cloud infrastructure with isolated network segments for production, staging, and corporate environments. We follow least-privilege IAM, deny-by-default security groups, image-signing for build artifacts, runtime intrusion detection, and continuous secret scanning. Production deployments require code review and pass automated security checks before release.

Card data is handled by Stripe, a PCI-DSS Level 1 service provider; Cenoa never stores full card numbers. Cenoa maintains its own PCI-DSS SAQ A scope. We comply with applicable financial regulations (including BSA/AML obligations) and data protection laws (including GDPR and CCPA).

We welcome reports of security issues from the research community. Please submit reports to security@cenoapayments.com with detailed reproduction steps. We commit to acknowledge reports within two business days and to keep researchers updated until resolution. Good-faith research conducted in line with our Safe Harbor terms will not result in legal action.

Cenoa maintains a documented incident response plan with defined severity levels, runbooks, and on-call rotations. In the event of a security incident affecting customer data, we will notify affected users and applicable regulators within timelines required by law (for example, 72 hours under GDPR).

This Security Policy is reviewed at least annually and whenever material changes occur to our security program. The current version is published at this URL.