Security
How Cryptrum Pay protects merchant funds, secret material, and the operating infrastructure. Last updated July 2026.
Non-custodial by design
Cryptrum Pay is a non-custodial gateway. We never take custody of customer payments. Every merchant has a unique HD seed encrypted with a master key the platform operator holds — not the gateway-worker, not the API, only the wallet-signing service. Funds settle direct to merchant-controlled addresses derived from that seed.
Encryption at rest
- HD seeds: AES-256-GCM with a 32-byte key in the operator environment
- API keys and OAuth client secrets: AES-256-GCM
- Passwords: argon2id with high-memory parameters
- 2FA secrets: AES-256-GCM
- 2FA recovery codes: SHA-256 hashed before storage
- Database backups: encrypted with operator-rotated keys
Encryption in transit
- TLS 1.2+ on every HTTP endpoint (no plaintext fallback)
- HSTS enforced with 1-year max-age on production
- Outbound webhook deliveries: HMAC-SHA256 signature in every payload (X-Webhook-Signature)
Authentication
- Merchant: email + password, optional TOTP 2FA, recovery codes
- Admin: separate role (X-Admin-Key) with timing-safe compare, 2FA mandatory
- API: per-project key, scoped permissions, rate-limited
- OAuth (where enabled): Google, GitHub providers via PKCE
Authorization (RBAC)
The admin panel uses fine-grained permissions: merchants:read, gateway:retry, fees:read, jobs:read, balances:read, settings:write, tokens:write, etc. Roles ship as: owner, finance, support, read_only — owners can define custom roles. Every privileged action writes an audit row capturing actor, action, target resource, timestamp.
Network & IP allowlisting
Admin endpoints can be restricted to a list of CIDR blocks (env or DB). This is a hard ingress filter, applied before authentication, and is updated without redeploy via the admin Settings page. Built-in audit log of changes.
Operational security
- Secrets read from env or DB-encrypted operational_settings — never committed
- Code paths that handle seeds run only inside the gateway-worker container
- Database access constrained to least-privilege roles
- Audit logs immutable for the retention period; tamper detection on backup digests
- Quarterly internal review of dependencies (CVE scanning)
Responsible disclosure
Found a vulnerability? Email [email protected] (PGP key on request). We respond within 24 hours and credit reporters in our hall of fame on resolved issues. Please do not publicly disclose until we've had a chance to remediate.
What we cannot guarantee
On-chain transactions are final. Compromise of your wallet keys or your team's merchant-portal credentials is outside our control. Enable 2FA, use IP allowlisting, rotate API keys, and treat your seed exactly like a master password.

