Built on trust, verified by design
Enterprise-grade security without the complexity—cryptographic verification, origin protection, and zero data retention by default.
HMAC Verified
Cryptographically signed
Origin Hidden
Protected from discovery
Zero Body Storage
Metadata only, no content
Full Audit Trail
90-day retention, exportable
HMAC Signature Verification
Every proxied request is cryptographically signed with HMAC-SHA256 using your secret key. Each signature includes a timestamp to prevent replay attacks—requests older than 5 minutes are automatically rejected, ensuring attackers can't reuse captured signatures.
Read the HMAC spec →Origin Protection
In proxy mode, your origin URL is never exposed to clients—requests are forwarded server-side through PayFence. Even if an attacker discovers your origin, all unsigned requests are rejected at the edge, making your API inaccessible without valid credentials.
Data Privacy
PayFence never stores request or response bodies. Only metadata is processed: HTTP method, path, token ID, plan limits, and allow/deny decisions. Your sensitive data flows directly between client and origin without intermediate storage or inspection.
Per-Plan Rate Limiting
Two layers of rate limiting protect your API. Site-level limits guard against DDoS and abuse. Per-plan token rate limits (configurable 10–10,000 req/min) let you give different tiers different throughput, enforced automatically at the gateway before requests reach your origin.
Audit Logging
Every rate limit decision is logged with full context: token ID, plan applied, timestamp, and allow/deny outcome. Quota warning webhooks fire at 80% usage so you can alert customers proactively. Filter logs by any dimension, export for compliance, and retain for 90 days.
Performance Benchmarks
Real-world latency across deployment modes. All measurements in milliseconds.
| Mode | p50 | p95 | p99 |
|---|---|---|---|
| Middleware | ~8ms | ~15ms | ~25ms |
| Proxy | ~35ms | ~60ms | ~90ms |
| Cold Start | ~400ms | ||
Infrastructure Security
Every layer of the stack is secured by default.
| Layer | Protection | Detail |
|---|---|---|
| Encryption in transit | TLS 1.2+ on all connections | CloudFront enforces HTTPS. HTTP requests automatically redirect. |
| Encryption at rest | AES-256 on all data stores | DynamoDB, S3, and CloudWatch Logs all use AWS default encryption. |
| Authentication | Amazon Cognito + JWT | Signed tokens with 1-hour expiry. Google OAuth supported. |
| Authorization | Role-based access control | Three roles (site_owner, admin, consumer) enforced at the middleware layer. |
| API key security | Cryptographically random keys | 24-byte hex keys (sk_*), scoped per site. Validated on every request. |
| Rate limiting | Per-endpoint rate limits | Express rate limiting on all public and dashboard endpoints. |
| Security headers | Helmet.js | XSS protection, MIME sniffing prevention, content security policy. |
Data Flow
PayFence sits in the authorization path, not the data path. We verify whether a request should be allowed. We do not inspect, transform, or store request/response payloads.
Your Customer → PayFence (authorize) → Your API Origin
│ │
│ ├── Decision: allow or deny
│ ├── Quota check: within plan limits?
│ └── Log: metadata only (no body)
│
└── Stripe (if subscribing) → Stripe handles all payment dataMonitoring & Incident Response
Real-time observability with documented procedures for every failure mode.
| Capability | Status |
|---|---|
| Real-time alerting | 14 CloudWatch alarms covering Lambda errors, DynamoDB throttles, 5xx rates, webhook failures. Critical alerts → email within 60 seconds. |
| Structured logging | Every API request logged with request ID, site ID, decision, and latency breakdown. JSON format for automated analysis. |
| Health monitoring | Public health endpoint (/api/health) verifies database connectivity. Returns degraded status if any dependency is unreachable. |
| Incident runbooks | Documented procedures for 6 failure modes: gateway outage, database throttling, cold starts, webhook failures, DNS issues, deployment rollback. |
| Post-mortem process | Structured template for root cause analysis, timeline, and preventive action items. |
Compliance Roadmap
SOC 2 gap analysis complete. Audit planned when triggered by first enterprise customer.
| Control | Status | Timeline |
|---|---|---|
| Encryption at rest (AES-256) | Done | — |
| Encryption in transit (TLS 1.2+) | Done | — |
| Authentication + RBAC | Done | — |
| Privacy policy + Terms of service | Done | Published at payfence.io/privacy |
| Structured audit logging | Done | — |
| CloudWatch monitoring + alerting | Done | 14 alarms, SNS notifications |
| Incident response runbooks | Done | 6 runbooks + post-mortem template |
| SOC 2 gap analysis | Done | 16 controls mapped |
| Automated dependency scanning | Planned | Q1 2026 |
| MFA enforcement | Planned | Before first enterprise customer |
| Input schema validation | Planned | Q2 2026 |
| SOC 2 Type I audit | Planned | Triggered by first enterprise customer |
Hosting & Vendor Certifications
All infrastructure runs on AWS (us-east-1), leveraging AWS’s SOC 2, ISO 27001, and PCI DSS certifications. Payment processing is fully delegated to Stripe (PCI DSS Level 1).
| Service | Provider | Compliance |
|---|---|---|
| Compute (API) | AWS Lambda | SOC 2, ISO 27001, PCI DSS |
| Database | AWS DynamoDB | SOC 2, ISO 27001, PCI DSS |
| CDN / TLS | AWS CloudFront | SOC 2, ISO 27001 |
| Authentication | AWS Cognito | SOC 2, ISO 27001 |
| Payments | Stripe | PCI DSS Level 1, SOC 2 |
| DNS | AWS Route53 | SOC 2, ISO 27001 |
Security-specific inquiries: info@payfence.io
We’re happy to walk through our architecture, provide additional detail on any control, or discuss specific compliance requirements for your use case.