Security

Security

How Cryptrum Pay protects merchant funds, secret material, and the operating infrastructure. Last updated July 2026.

Non-custodial by design

Cryptrum Pay is a non-custodial gateway. We never take custody of customer payments. Every merchant has a unique HD seed encrypted with a master key the platform operator holds — not the gateway-worker, not the API, only the wallet-signing service. Funds settle direct to merchant-controlled addresses derived from that seed.

Encryption at rest

  • HD seeds: AES-256-GCM with a 32-byte key in the operator environment
  • API keys and OAuth client secrets: AES-256-GCM
  • Passwords: argon2id with high-memory parameters
  • 2FA secrets: AES-256-GCM
  • 2FA recovery codes: SHA-256 hashed before storage
  • Database backups: encrypted with operator-rotated keys

Encryption in transit

  • TLS 1.2+ on every HTTP endpoint (no plaintext fallback)
  • HSTS enforced with 1-year max-age on production
  • Outbound webhook deliveries: HMAC-SHA256 signature in every payload (X-Webhook-Signature)

Authentication

  • Merchant: email + password, optional TOTP 2FA, recovery codes
  • Admin: separate role (X-Admin-Key) with timing-safe compare, 2FA mandatory
  • API: per-project key, scoped permissions, rate-limited
  • OAuth (where enabled): Google, GitHub providers via PKCE

Authorization (RBAC)

The admin panel uses fine-grained permissions: merchants:read, gateway:retry, fees:read, jobs:read, balances:read, settings:write, tokens:write, etc. Roles ship as: owner, finance, support, read_only — owners can define custom roles. Every privileged action writes an audit row capturing actor, action, target resource, timestamp.

Network & IP allowlisting

Admin endpoints can be restricted to a list of CIDR blocks (env or DB). This is a hard ingress filter, applied before authentication, and is updated without redeploy via the admin Settings page. Built-in audit log of changes.

Operational security

  • Secrets read from env or DB-encrypted operational_settings — never committed
  • Code paths that handle seeds run only inside the gateway-worker container
  • Database access constrained to least-privilege roles
  • Audit logs immutable for the retention period; tamper detection on backup digests
  • Quarterly internal review of dependencies (CVE scanning)

Responsible disclosure

Found a vulnerability? Email [email protected] (PGP key on request). We respond within 24 hours and credit reporters in our hall of fame on resolved issues. Please do not publicly disclose until we've had a chance to remediate.

What we cannot guarantee

On-chain transactions are final. Compromise of your wallet keys or your team's merchant-portal credentials is outside our control. Enable 2FA, use IP allowlisting, rotate API keys, and treat your seed exactly like a master password.

Start accepting crypto today.

Create an account, mint a key, and watch your first payment land in under a minute. 1,000,000 free CPT included — no card needed.

Start your journey Book demo