Security & Compliance
Your money and data,
treated like ours.
Saleonix moves money for a living. Security is not a feature we added — it is the discipline the platform is built around: encryption everywhere, least-privilege access, full audit trails, and honest compliance claims.
How we protect you
Security controls, in plain language
Encryption in transit and at rest
All traffic is encrypted with TLS and protected by HTTP Strict Transport Security. Sensitive fields such as bank details are additionally encrypted at the field level with AES-256-GCM authenticated encryption, and our database is encrypted at rest.
Card data is never stored
Card numbers and security codes are used only to execute the payment through the Payten gateway and our acquiring bank, BKT. They are never stored, logged, or echoed back by our systems — recurring billing runs on gateway-side tokens, not saved cards.
Multi-factor authentication
Every account can enable TOTP two-factor authentication with single-use recovery codes, enforced at login across the app and its APIs. Administrative and staff access additionally requires step-up MFA re-verification for sensitive operations. TOTP secrets are stored encrypted.
Role-based access control
Access follows least privilege: separate roles for merchants, staff, and platform administrators, per-module staff permissions, and layered guards on every administrative route.
Hardened authentication
Passwords are hashed with bcrypt and never stored in plain text. Email verification is enforced before sign-in, password resets use single-use expiring tokens and revoke all active sessions, and reset flows resist account enumeration.
Comprehensive audit trails
Security-relevant events — sign-ins, password resets, administrative actions, payment sessions, callbacks, and refunds — are written to dedicated audit logs with actor, IP, and outcome, giving a full forensic trail.
Abuse and fraud prevention
Rate limiting protects authentication, password-reset, and payment endpoints. Checkout applies card validation and fraud-aware checks, and payment states are continuously reconciled against the gateway.
Resilient infrastructure
The platform runs on managed cloud infrastructure with automated database backups. Strict security headers (CSP, frame-ancestors, referrer and permissions policies) harden every response.
Responsible disclosure
Found a vulnerability? Report it to our team and we will investigate promptly. We ask researchers to avoid accessing other users' data and to give us reasonable time to fix issues before disclosure.
Compliance
Where we stand — stated honestly
We tell you exactly what is certified, what is designed-in, and what is on the roadmap. No badge-collecting, no overstated claims.
GDPR & Kosovo data protection
Saleonix is designed to meet Kosovo's Law No. 06/L-082 on Protection of Personal Data and the EU GDPR where it applies: data minimization, field-level encryption, documented sub-processors, and data-subject rights handled through our support channels. See our privacy policy for the full picture.
Read the privacy policyPCI DSS
Card payments are processed by the Payten gateway and settled by BKT, our acquiring bank — both PCI DSS-certified payment institutions. Saleonix never stores cardholder data and maintains its PCI DSS obligations in coordination with these partners.
SOC 2
Our security controls — access management, encryption, audit logging, monitoring, and change discipline — are built in alignment with the SOC 2 Trust Services Criteria. A formal third-party attestation is on our roadmap as the platform grows; we do not claim certification before an auditor has issued one.
AML & payment regulation
As a payments platform and merchant of record in Kosovo, we operate under the country's payment-system, banking, and anti-money-laundering legislation, including seller verification (KYC) before any account can accept live payments.
Terms & conditionsDay-to-day discipline
Practices, not promises
Compliance pages are easy to write. These are concrete behaviors built into how the platform actually runs, every day, for every account.
- Sellers are verified (KYC) before accepting live payments
- Test Mode is fully isolated from live money movement
- Administrative surfaces are unindexed and access-guarded in depth
- All API responses are served with no-store cache headers
- Suspended accounts are automatically restricted to Test Mode
- Payment sessions, callbacks, and refunds are independently audited and reconciled
Security questions? Vulnerability to report?
Talk directly to the team that builds and operates the platform — security reports are read first.