Trust & Security

Honest answers, not boilerplate.

This page exists to help your compliance team make an informed decision about working with Swepay, what we do well, what we're building, and what we don't have yet. We update it as our posture evolves.

Last updated: May 22, 2026

Security practices

What we do, in concrete terms.

Security at Swepay is implemented in code and infrastructure, not in slide decks. The list below is verifiable, each item is something you or your security team can validate during a technical review.

Data residency: sa-east-1

All Swepay production services run in AWS sa-east-1 (São Paulo). Your data does not leave Brazil by default, and there is no configuration today to transfer it elsewhere. When an auditor asks 'where is my data?', the answer is one region in São Paulo.

Encryption at rest and in transit

TLS 1.2+ enforced on every API surface. Database storage uses managed encryption keys. Object storage (where presigned certificate downloads live) uses server-side encryption with a managed key service. No plaintext sensitive data persists on disk.

Root CA keys in managed key custody

Your tenant's root CA key is generated inside a managed cryptographic key store and used via managed cryptographic operations. The key material is not extractable by Swepay operators in normal operations. Access requires multi-party approval logged through an immutable cloud audit trail.

Audit log, immutable

Every administrative API call is logged with timestamp, tenant ID, action, request fingerprint, and result. Logs are retained per your subscription tier (30 days to 1 year). Tampering would require compromise of the cloud-managed log retention service, a security boundary that is not in Swepay's threat model.

Tenant isolation

Each tenant has a dedicated private Certificate Authority with its own root key, its own audit log scope, and its own access boundary. Multi-tenancy is enforced from API down to storage layer, not implemented as a column filter in a shared database.

Least-privilege IAM

Swepay's internal operators operate under least-privilege AWS IAM roles. Break-glass procedures exist for emergency access and are themselves audit-logged. Routine engineering work does not require access to tenant data.

Vulnerability management

Dependencies and infrastructure are scanned automatically through standard dependency and vulnerability tooling. Critical vulnerabilities are addressed within defined SLAs. We do not yet have a public bug bounty program; responsible disclosure goes to [email protected].

Compliance posture

What we comply with, what we facilitate, what we don't claim.

Brazilian financial regulation has overlapping standards. Below is precisely how Swepay positions itself in each one, without overpromising.

LGPD (Lei Geral de Proteção de Dados)

Swepay is a data processor (operador) under LGPD when handling tenant data. Documented legal basis for each processing activity. Subject rights APIs available where applicable. Default retention aligned with the minimum necessary principle, configurable per regulatory context. DPA template available on request.

Bacen cybersecurity rules

Swepay operates as a vendor to regulated financial institutions. Our infrastructure choices, sa-east-1 residency, encryption, audit logging, tenant isolation, are designed to be compatible with vendor risk requirements that regulated entities apply to their suppliers. We do not claim to comply with Bacen rules ourselves (we are not a regulated entity); we provide the infrastructure that helps your fintech meet its own obligations.

Open Finance, Pix, SPB

Swepay does not issue certificates for Open Finance Brasil, Pix DICT, SPB, or other Brazilian regulated infrastructure. CA Manager issues private CA certificates for B2B mTLS in private integrations. If your scenario requires those regulated certificates, obtain them from established Brazilian providers like Soluti, Serpro, Certisign, or Valid Certificadora.

Open Finance Brasil

Native Guard is in technical validation and is not yet certified under FAPI 1.0 Advanced. CA Manager is not in scope for Open Finance Brasil integration. We do not currently serve Open Finance Brasil use cases.

Internet payment regulations (Pix, SPB)

Swepay is not a payment provider. We do not process transactions, do not connect to Pix DICT, do not connect to SPB, do not connect to STR. Our products run beneath payment infrastructure as supporting services, not as part of it.

Certifications

Where we stand today.

Honest assessment first. Roadmap second. No commitment dates we can't keep.

What Swepay holds today

No formal third-party certifications. Swepay is a bootstrapped pre-seed company that has prioritized product, security architecture, and customer validation over certification audits.

What's on the roadmap

SOC 2 Type I is the most likely first formal certification. Timing depends on customer demand and resource availability, we will publish a target date only when we have credible visibility on the audit window. ISO 27001 is further out. We do not announce certifications until they are achieved.

What we offer in the meantime

Our security architecture is built on AWS-managed primitives that are themselves part of broad compliance attestations (AWS SOC 2, ISO 27001, PCI DSS, LGPD). This does not transfer those certifications to Swepay, but it means the foundation we build on is audited rigorously. For regulated customers, we are open to participating in vendor risk assessment processes, including security questionnaires, architecture reviews, and pen-test of our public surfaces.

If certification is a hard requirement

Some regulated buyers have policies that require their vendors to hold specific certifications. If that's your situation, be transparent with us early. We can have an honest conversation about whether the timing of your need fits our roadmap, or whether you'd be better served by a vendor that's further along on the audit cycle.

DPA

Data Processing Agreement

Under LGPD, processing personal data on behalf of a controller requires a written agreement between processor and controller. Swepay maintains a standard DPA template that we negotiate with customers as part of contract signing.

Our standard DPA covers: data processing purposes scoped per Swepay product; technical and organizational security measures; subprocessor list (currently AWS and AWS-managed services); incident notification within applicable LGPD timelines; subject right facilitation procedures; data retention and deletion on termination; and audit rights.

To receive a copy of our standard DPA for review by your legal team, email [email protected] with your company name and contact. We respond within two business days.

Standard terms are designed to work for most regulated Brazilian customers without modification. Customization is possible for enterprise contracts via AWS Marketplace Private Offers or direct agreements.

[email protected]

Status

Service status and incident notifications.

Production status monitoring and a public status page are on our near-term roadmap.

Today

Operational status is monitored internally. We do not yet publish a real-time status dashboard. For incident notifications, subscribe to our incident mailing list at [email protected], we send notifications when incidents affect production endpoints (ca.swepay.com.br or ca-cdn.swepay.com.br).

On the roadmap

A public status page (status.swepay.co) with real-time uptime metrics, planned maintenance windows, and historical incident reports. Timing follows customer demand and operational maturity.

Reporting an outage

If you believe you are experiencing a service issue with Swepay infrastructure, email [email protected] with: your tenantId, timestamp of when the issue started, affected endpoint, and (if available) request correlation IDs from your client logs.

Security research

Responsible disclosure policy.

We welcome security research on Swepay's public infrastructure. The policy below explains how to report findings and what to expect from us.

In scope

  • ca.swepay.com.br (administrative API)
  • ca-cdn.swepay.com.br (PKI infrastructure CDN)
  • swepay.co and swepay.com.br (institutional sites)
  • Authentication and authorization flows on the above

Out of scope

  • Social engineering of Swepay employees or customers
  • Physical attacks against Swepay infrastructure or offices
  • Denial of service attacks (volumetric or otherwise)
  • Findings derived from automated scanners without proof-of-concept exploitation
  • Third-party services we use (report to the respective vendor)

How to report

Email [email protected] with: vulnerability description, affected endpoint or component, steps to reproduce, and (if possible) suggested remediation. Use plain text or PGP-encrypted email, our PGP key is available on request.

What to expect from us

  • Acknowledgment within 3 business days
  • Triage update within 10 business days
  • Coordination on disclosure timeline (we prefer 90 days from report to public disclosure for confirmed vulnerabilities)

Bounties

We do not currently operate a paid bug bounty program. We are a small team and bounties are not within our current budget. We acknowledge contributions publicly (with researcher consent) on our security acknowledgments list. If you are doing this for the money, this is not the right program for you. If you are doing it because you care about the security of Brazilian financial infrastructure, we welcome you.

Contacts

How to reach the right team.