Security is the product under the product
Money and personal data move through this platform every second. Here is what actually protects both today — no fabricated certifications, just what's built.
Built, not claimed
What's actually in place today
Card data never touches us
Card numbers are entered on a page processed by a licensed payment provider. DorskoPay's own systems never store raw card data.
HMAC-signed webhooks
Every webhook event is signed with HMAC-SHA256 and timestamped, so your endpoint can verify it came from us and hasn't been replayed.
Hashed, scoped API keys
API keys are hashed at rest and can be revoked individually at any time from your dashboard.
Full admin audit trail
Every mutating admin action — refunds, commission changes, account suspensions — is logged with who, what and when.
Login activity logging
Every sign-in attempt, successful or failed, is logged with IP address and device — visible to you in Settings.
Sandbox by default
You can test your entire integration — checkout, subscriptions, webhooks — before a single real transaction happens.
Architecture
How it's actually built
-
lock
Encrypted in transit
Every connection to the platform runs over TLS — checkout, dashboard and API alike.
-
key
Hashed, revocable API keys
API keys are hashed at rest, scoped to your account, and can be revoked individually at any time.
-
shield_lock
Ownership-scoped data access
Merchant dashboards only ever query that merchant's own data — enforced at the database-query level, not just the UI.
-
webhook
Signed webhooks
Every webhook carries an HMAC-SHA256 signature and timestamp, so your endpoint can verify authenticity and reject replays.
Every payment
Full transaction record — gross, tax, commission, net, status
Every admin action
Who changed what, on which account, and when
Every sign-in
Success or failure, IP address, device
Every webhook
Delivery attempt, response, signed payload
Where we're headed
Formal certifications: on the roadmap, not claimed yet
PCI DSS
Not yet certified. Card data is handled by a licensed payment provider, not stored on our systems.
SOC 2
Not yet attested. Formal third-party security audits are a goal as the platform matures, not a claim we make today.
ISO 27001
Not yet certified. We'd rather say so than display a badge we haven't earned.
Responsible disclosure
Found a security issue? Email us directly — every report is read by a human.
Doing a vendor security review? Email us — we'll answer honestly about what's in place today and what's still being built.
Ask us anything arrow_forwardTrust is earned
in milliseconds.
Every transaction, every webhook, every login — protected by the same standards the card networks hold us to.
Free forever plan · Cancel anytime · Payouts in 24h