Security

Security You Can Trust

Bank-grade security at every layer — from the moment a customer starts a conversation to the instant funds settle in your account.

How We Protect You

Security Built In, Not Bolted On

Every component of the Next Opay platform has been designed with security as a first principle.

Stripe-Powered Payments

All payments are processed by Stripe, certified as PCI DSS Level 1 — the highest level of payment security certification. Card data never touches our servers at any point in the payment flow.

TLS Encryption

All data in transit between your browser, our servers and third-party integrations is encrypted using TLS 1.3. All data at rest is encrypted using AES-256 encryption.

JWT Authentication

We use short-lived JSON Web Tokens for session management, stored in secure httpOnly cookies to prevent XSS attacks. Refresh token rotation ensures sessions stay secure over time.

Role-Based Access Control

Granular RBAC with clearly separated permission tiers: Super Admin, Organisation Admin, and Account Viewer. Each role has strict access boundaries enforced at the API level.

Webhook Verification

All Stripe webhook events are verified using HMAC-SHA256 signature validation before processing. SendPulse callbacks are similarly validated to prevent spoofed requests.

Audit Logging

Every administrative action is recorded in an immutable audit log capturing the actor, action type, timestamp, originating IP address, and a full diff of changed values.

Infrastructure

Enterprise-Grade Infrastructure

Hosting

Next Opay is hosted on Vercel, a SOC 2 Type II certified cloud platform with global edge network and automatic DDoS protection.

Database

PostgreSQL hosted on a managed cloud provider with automatic failover, encrypted storage, and strict network access controls.

Backups

Automated database backups run every 24 hours with point-in-time recovery. Backups are encrypted and stored in a geographically separate region.

Availability

We target 99.9% uptime across the platform. Incident status is monitored continuously with automated alerting for any service degradation.

SOC 2 Type II

Vercel Infrastructure

PCI DSS L1

Stripe Payments

99.9% Uptime

Target SLA

AES-256

Encryption at Rest

TLS 1.3

Encryption in Transit

24h Backups

Automated & Encrypted

Responsible Disclosure

Found a Vulnerability?

We take security reports seriously. If you discover a security vulnerability in the Next Opay platform, please disclose it to us responsibly. We ask that you:

  • Report the issue privately before any public disclosure
  • Give us reasonable time to investigate and remediate
  • Not exploit the vulnerability beyond what is necessary to demonstrate the issue
  • Not access, modify or delete other users' data

Report security vulnerabilities to: security@nextopay.co.uk

Ready to Transform Your
Payment Collections?

Join businesses using Next Opay to collect payments the smart way.