verified_user Trust Center

Security is the product under the product

Money and personal data move through this platform every second. Here is what actually protects both today — no fabricated certifications, just what's built.

Built, not claimed

What's actually in place today

credit_card

Card data never touches us

Card numbers are entered on a page processed by a licensed payment provider. DorskoPay's own systems never store raw card data.

webhook

HMAC-signed webhooks

Every webhook event is signed with HMAC-SHA256 and timestamped, so your endpoint can verify it came from us and hasn't been replayed.

key

Hashed, scoped API keys

API keys are hashed at rest and can be revoked individually at any time from your dashboard.

history

Full admin audit trail

Every mutating admin action — refunds, commission changes, account suspensions — is logged with who, what and when.

fact_check

Login activity logging

Every sign-in attempt, successful or failed, is logged with IP address and device — visible to you in Settings.

science

Sandbox by default

You can test your entire integration — checkout, subscriptions, webhooks — before a single real transaction happens.

Architecture

How it's actually built

  • lock

    Encrypted in transit

    Every connection to the platform runs over TLS — checkout, dashboard and API alike.

  • key

    Hashed, revocable API keys

    API keys are hashed at rest, scoped to your account, and can be revoked individually at any time.

  • shield_lock

    Ownership-scoped data access

    Merchant dashboards only ever query that merchant's own data — enforced at the database-query level, not just the UI.

  • webhook

    Signed webhooks

    Every webhook carries an HMAC-SHA256 signature and timestamp, so your endpoint can verify authenticity and reject replays.

receipt_long

Every payment

Full transaction record — gross, tax, commission, net, status

history

Every admin action

Who changed what, on which account, and when

login

Every sign-in

Success or failure, IP address, device

webhook

Every webhook

Delivery attempt, response, signed payload

Where we're headed

Formal certifications: on the roadmap, not claimed yet

verified_user

PCI DSS

Not yet certified. Card data is handled by a licensed payment provider, not stored on our systems.

shield_lock

SOC 2

Not yet attested. Formal third-party security audits are a goal as the platform matures, not a claim we make today.

workspace_premium

ISO 27001

Not yet certified. We'd rather say so than display a badge we haven't earned.

bug_report

Responsible disclosure

Found a security issue? Email us directly — every report is read by a human.

Doing a vendor security review? Email us — we'll answer honestly about what's in place today and what's still being built.

Ask us anything arrow_forward

Trust is earned
in milliseconds.

Every transaction, every webhook, every login — protected by the same standards the card networks hold us to.

Free forever plan · Cancel anytime · Payouts in 24h