Security policy
Last updated: 21 February 2026
Inopay applies a multi-layered security posture aligned with industry standards. No sensitive information is retained beyond operational or regulatory necessity.
Non-custodial by design
Inopay never touches funds or securities. Flows go from PSP to licensed SGI. See the trust center for the full diagram.
Learn moreTLS 1.3 + AES-256-GCM encryption
All application traffic is encrypted with TLS 1.3 minimum. Data at rest is encrypted with AES-256-GCM with managed key rotation.
Ed25519 signatures
KYC attestations and audit snapshots are signed with Ed25519. Offline verifiable by any integrator or regulator.
Learn moreResponsible disclosure
We welcome external security reports through a formal procedure. Public recognition on researcher request.
Responsible disclosure procedure
Any security researcher may confidentially report a vulnerability. We commit not to pursue legal action for good-faith research conducted within the published scope and without harm to user data. Please do not publicly disclose a vulnerability before a fix is in place.
Contact: security@getinopay.com
Response SLA
Acknowledgement within 48 working hours. Initial qualification within 5 working days. Critical vulnerability fix within 14 days. Reporter informed at end of treatment in all cases.
Bug bounty
A formal bug-bounty programme is being structured. Researchers who contributed during the responsible-disclosure phase will be invited as priority. Details to be published on this page.