Security at SpotFraud
We handle some of the most sensitive data in ecommerce. That responsibility shapes every architectural decision, every hiring choice, and every line of code we write. Here is how we protect your data.
Personnel and Facilities
Every member of the SpotFraud team completes a thorough background check and ongoing security awareness training before gaining access to any production system. Access to internal systems, dashboards, and merchant data is provisioned through a formally defined process with role-based permissions. When a team member changes roles or leaves the organization, all credentials and access are revoked immediately through our automated offboarding pipeline. Physical access to offices and secure areas is controlled with badge authentication and logged for audit purposes.
Development
Security is embedded into every stage of our software development lifecycle. When a new feature enters the design phase, our engineering team evaluates the privacy and security requirements as part of the initial specification — not as an afterthought. During implementation, every code change passes through peer review with explicit security validation, automated static analysis for common vulnerability patterns, dependency scanning for known CVEs, and integration testing against our security test suite. No code reaches production without passing all security gates. Our release pipeline enforces signed commits, immutable build artifacts, and automated rollback capabilities.
Application Architecture
The SpotFraud platform is built as a set of isolated, purpose-built services. Each component has a strictly defined role with minimal surface area, controlling access to its data and functionality independently. Services communicate through authenticated, encrypted channels with mutual TLS verification. The principle of least privilege governs every interaction between components — no service has access to data or capabilities beyond what its specific function requires. This architecture ensures that a compromise of any single component cannot cascade into broader data exposure.
Data Handling
All data transmitted to and from SpotFraud is encrypted in transit using TLS 1.3. Data at rest is encrypted with AES-256 across all storage layers. The most sensitive data categories — payment card numbers, authentication credentials, and personally identifiable financial information — are stored using irreversible one-way cryptographic hashing, making it impossible for the original data to be reconstructed in any form. Access to merchant data is governed by strict role-based access controls and every access event is logged to an immutable audit trail. Data is backed up continuously with point-in-time recovery capability. SpotFraud will acknowledge any confirmed data security vulnerability within 24 hours of discovery.
Merchant Data Isolation
Every merchant's data is logically isolated at the infrastructure level. No merchant can access, query, or view another merchant's raw transaction data, customer records, or case files under any circumstance. When our machine learning models train on network-wide fraud patterns, they operate exclusively on anonymized, aggregated signal data that has been stripped of all personally identifiable information. The intelligence that flows between merchants in our network consists of abstract threat signatures and behavioral patterns — never raw customer data. Each merchant controls their own data retention policies and can request complete data deletion at any time.
Infrastructure
All SpotFraud systems are hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certified data centers. We leverage multiple availability zones with automatic failover to maintain high availability. Our infrastructure security stack includes network-level firewalls with default-deny policies, intrusion detection and prevention systems that monitor for anomalous traffic patterns, host-based security agents with real-time file integrity monitoring, automated vulnerability scanning across all production systems, and DDoS mitigation at the network edge. All infrastructure configuration is managed through version-controlled infrastructure-as-code with mandatory peer review.
Monitoring and Incident Response
Once our applications are live, we monitor hundreds of operational and security metrics continuously. Custom alerting thresholds trigger notifications to our engineering and security teams through defined escalation paths with on-call rotation coverage around the clock. We maintain a formal incident response plan that defines severity classifications, response time commitments, communication protocols, and post-incident review processes. Security events are correlated across application logs, infrastructure telemetry, and access audit trails to detect potential threats before they materialize into incidents. All incidents are documented with root cause analysis and remediation verification.
Compliance Roadmap
SpotFraud is actively pursuing SOC 2 Type II certification and maintains compliance with CCPA, CPRA, and applicable state privacy regulations. For merchants with customers in the European Union, our data handling practices are designed to align with GDPR requirements including data minimization, purpose limitation, and the right to erasure. We provide Data Processing Agreements to all enterprise merchants and maintain a transparent record of our data processing activities. Our compliance posture is reviewed quarterly and updated as regulatory requirements evolve.
Have a security question?
If you have questions about our security practices or need to report a vulnerability, our team is available to respond within 24 hours.
Contact Security Team