Security at Felloh

Felloh is built from the ground up to handle sensitive payment data securely. We invest heavily in security infrastructure, compliance certifications, and operational practices to protect your business and your customers.

Standards and Regulatory Compliance

PCI DSS Level 1 Compliant

Felloh achieves PCI DSS Level 1 compliance — the most stringent level available in the payments industry — through our partnership with Basis Theory, a certified PCI Level 1 Service Provider. All sensitive cardholder data is vaulted and processed through Basis Theory's infrastructure, meaning raw card data never enters Felloh's own systems.

This architecture provides the highest standard of cardholder data protection while allowing Felloh to focus on delivering a seamless payment experience. When you use Felloh to accept payments, sensitive card data is collected and vaulted directly by Basis Theory — it never touches your servers or ours. This significantly reduces your own PCI compliance burden.

Trust Account Management

Felloh operates fully managed client trust accounts, providing a regulated framework for holding and disbursing customer funds. Trust account operations are subject to regular independent audits and strict regulatory oversight, ensuring that customer funds are always protected and properly segregated.

Data Protection and Privacy

Felloh complies with applicable data protection regulations including the UK GDPR and the Data Protection Act 2018. We maintain a published privacy policy and provide data processing agreements to customers who require them.

We process only the minimum personal data necessary to provide our services and give you tools to manage data retention and deletion through our API.

Product Security

Authentication and Access Control

  • API Key Pairs — All API access requires both a public and private key. Private keys are used exclusively server-side and are never exposed to browsers.
  • JWT Token Management — API sessions use short-lived JWT bearer tokens that are automatically refreshed. Tokens expire after a set period, limiting the window of exposure if a token is compromised.
  • Dashboard Access — The Felloh dashboard supports multi-factor authentication (MFA) and role-based access control, allowing you to restrict what team members can see and do.
  • Audit Logging — All actions taken through the API and dashboard are recorded in an immutable audit log, providing a full trail of who did what and when.

HTTPS and Encryption in Transit

All communication with the Felloh API is encrypted using TLS 1.2 or later. Unencrypted HTTP connections are rejected — there is no option to communicate with our API over plaintext.

We enforce HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks and cookie hijacking. All API endpoints, the dashboard, and our payment forms are served exclusively over HTTPS.

Webhook Security

Every webhook request sent by Felloh is signed with an HMAC-SHA256 signature using your webhook secret. This allows you to verify that payloads genuinely originated from Felloh and have not been tampered with in transit. See our Webhooks documentation for implementation details.

Infrastructure Safeguards

Payment Data Isolation

Sensitive cardholder data is vaulted by Basis Theory, our PCI Level 1 certified tokenisation partner. Raw card numbers never enter Felloh's infrastructure — they are collected, encrypted, and stored exclusively within Basis Theory's isolated, audited environment. Felloh operates only with opaque tokens, so your integration never needs to handle raw card data.

Cloud Infrastructure

Felloh runs on Amazon Web Services (AWS), leveraging AWS's extensive security certifications (ISO 27001, SOC 1/2/3, PCI DSS Level 1). Our infrastructure is deployed across multiple availability zones for resilience and uses:

  • Network-level isolation with private subnets and security groups
  • Encryption at rest for all databases and storage
  • Automated backups with point-in-time recovery
  • Continuous monitoring and automated alerting

DDoS Protection

Our API infrastructure includes multiple layers of protection against distributed denial-of-service attacks, including rate limiting, traffic analysis, and upstream DDoS mitigation provided by AWS Shield.

Maintaining Our Security Posture

Dedicated Security Practices

Security is embedded into our engineering process. All code changes undergo peer review, and changes affecting payment flows or sensitive data receive additional scrutiny. We conduct regular internal security assessments and penetration testing.

Vulnerability Disclosure

If you believe you have found a security vulnerability in Felloh, we encourage responsible disclosure. Please contact us at developers@felloh.com with details of the issue. We take all reports seriously and will respond promptly.

Employee Security

All Felloh employees undergo security awareness training and operate under the principle of least privilege. Access to production systems and customer data is strictly limited to those who require it for their role, and access is reviewed regularly.

Learn More