> Card data sits on a PCI DSS Level 1-qualified compliance base — plaintext PANs never touch your servers.

Security & Compliance

# Security & compliance are the foundation, not a feature

Your card data sits on a PCI DSS Level 1-qualified compliance base — plaintext PANs never touch your servers. We carry the heaviest part of compliance at the base, so you collect faster and steadier.

## Base compliance (via a card-network-audited provider)

The card vault is built on a licensed compliance provider, whose platform holds:

### PCI DSS Level 1

### SOC 2 Type II

### ISO 27001

### HIPAA

Note: the above are the base provider's certifications (a PCI DSS Level 1-qualified, card-network-audited provider). KeepPay's vault runs on that compliant base, so plaintext PANs never enter KeepPay or your own environment.

## What KeepPay does for security

🧩

### Tokenize on capture

The card is tokenized in the user’s browser, never touching your front or back end.

🚫

### No plaintext at rest

Your systems, logs, and database hold only tokens — no plaintext PANs.

📉

### Shrink your PCI scope

Because plaintext never passes through your environment, your PCI scope shrinks dramatically.

🔒

### Encryption in transit & at rest

Data is encrypted end to end.

🌐

### Data residency / private

Choose where data lives per regional rules; Enterprise supports private deployment.

👤

### Least privilege & audit

Controlled admin access with action logging.

## Specific compliance or data-residency requirements?

We'll tailor a plan to your region and scenario.
