Security
Security You Can Trust
Bank-grade security at every layer — from the moment a customer starts a conversation to the instant funds settle in your account.
How We Protect You
Security Built In, Not Bolted On
Every component of the Next Opay platform has been designed with security as a first principle.
Stripe-Powered Payments
All payments are processed by Stripe, certified as PCI DSS Level 1 — the highest level of payment security certification. Card data never touches our servers at any point in the payment flow.
TLS Encryption
All data in transit between your browser, our servers and third-party integrations is encrypted using TLS 1.3. All data at rest is encrypted using AES-256 encryption.
JWT Authentication
We use short-lived JSON Web Tokens for session management, stored in secure httpOnly cookies to prevent XSS attacks. Refresh token rotation ensures sessions stay secure over time.
Role-Based Access Control
Granular RBAC with clearly separated permission tiers: Super Admin, Organisation Admin, and Account Viewer. Each role has strict access boundaries enforced at the API level.
Webhook Verification
All Stripe webhook events are verified using HMAC-SHA256 signature validation before processing. SendPulse callbacks are similarly validated to prevent spoofed requests.
Audit Logging
Every administrative action is recorded in an immutable audit log capturing the actor, action type, timestamp, originating IP address, and a full diff of changed values.
Infrastructure
Enterprise-Grade Infrastructure
Hosting
Next Opay is hosted on Vercel, a SOC 2 Type II certified cloud platform with global edge network and automatic DDoS protection.
Database
PostgreSQL hosted on a managed cloud provider with automatic failover, encrypted storage, and strict network access controls.
Backups
Automated database backups run every 24 hours with point-in-time recovery. Backups are encrypted and stored in a geographically separate region.
Availability
We target 99.9% uptime across the platform. Incident status is monitored continuously with automated alerting for any service degradation.
SOC 2 Type II
Vercel Infrastructure
PCI DSS L1
Stripe Payments
99.9% Uptime
Target SLA
AES-256
Encryption at Rest
TLS 1.3
Encryption in Transit
24h Backups
Automated & Encrypted
Responsible Disclosure
Found a Vulnerability?
We take security reports seriously. If you discover a security vulnerability in the Next Opay platform, please disclose it to us responsibly. We ask that you:
- Report the issue privately before any public disclosure
- Give us reasonable time to investigate and remediate
- Not exploit the vulnerability beyond what is necessary to demonstrate the issue
- Not access, modify or delete other users' data
Report security vulnerabilities to: security@nextopay.co.uk
Ready to Transform Your
Payment Collections?
Join businesses using Next Opay to collect payments the smart way.