Edit on GitHub

Security at Scanpay

We have built our system from the ground up, with a security by design approach, making security considerations the core of our engineering process. You can therefore rest assured that we have implemented multiple layers of security to protect your data.

If you have any questions or concerns, please do not hesitate to contact us.

Data protection

We are fully compliant with the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS).[1] Sensitive data is encrypted with AES-256-GCM and stored in multiple data centers within the European Union. The encryption key is protected with Shamir's Secret Sharing and shares are split between a few trusted employees.[2] This ensures that no single employee can access your data on their own.

We process and store sensitive data in the following locations:

Amazon Web Services
Elastic Compute Cloud (EC2)
Germany & Ireland
We receive, process and store all our data in two AWS EC2 regions within the European Union. Sensitive data is encrypted with AES-256-GCM.
Amazon Web Services
Simple Storage Service (S3)
European Union
We continuously make backups. Backups are encrypted and stored for 365 days in Amazon S3 within the European Union.
Google Cloud
Google Compute Engine (GCE)
GCE is our fallback hosting provider. We only use this environment in case of technical issues or DoS attacks. We do not store data in this environment.

Transaction data is shared with one or more of the following third parties:

Nets A/SAn acquiring bank with a pan-European license.Transaction data.[3]
Clearhaus A/SAn acquiring bank with a pan-European license.Transaction data and the IP address of the cardholder.[4]
MobilePay A/SA mobile payment application developed by Danske Bank A/S.Amount, currecy, merchant name, orderID, language, phone number.
3dsecure.ioA 3-D Secure Server (3DSS) by Clearhaus A/S.Transaction data and the IP address of the cardholder.[5]

Software security

When we started Scanpay, we decided to build our platform from scratch, in the programming language C. From the very beginning, the emphasis has been on developing a secure, stable and efficient platform, with a small and auditable code base. We also insist on using very little third-party software. Here is a list of third-party software that we use and trust:

Gentoo LinuxSource-based Linux distributionVery lowHigh
NGINXWeb server and reverse proxyLowMedium
NAXSINGINX Web Application Firewall (WAF)LowVery low
OpenSSLTLS and crypto libraryMediumMedium
WireGuardFast and secure kernelspace VPN.[6]MediumVery low

Transmission security

2020 Q1 SSL report from ssllabs.com

For security reasons, we only support HTTPS with TLSv1.2 and TLSv1.3 on port 443. We only support Elliptic Curve Cryptography (ECC) with the following cipher suites:


We support HSTS preload, DNS CAA and other security features. You can view a SSL/TLS report here.

Request authentication

Before you can use our platform, you must have an API key, which is a unique key used to authenticate API requests. API keys contain a shopid and a randomly generated code, i.e. shopid:code. You can generate an API key in our dashboard after you have created a shop.

API requests are authenticated with HTTP Basic Authentication with your API key: "Authorization: Basic " + base64_encode(apikey)


  • [1] PCI DSS is a security standard for businesses that store, process or transmit credit cards. Since 2017, we have completed two level 1 certifications and two SAQ D certifications. You can view our current AOC here.
  • [2] Shamir's Secret Sharing is used to secure a secret, e.g. an encryption key, in a distributed way. The secret is split into multiple parts, called shares. Two or more shares are needed to reconstruct the original secret.
  • [3] Here transaction data refers to cardholder data, amount, currency and text-on-statement.
  • [4] https://docs.gateway.clearhaus.com/#authorizations
  • [5] https://docs.3dsecure.io/#get-enrollment-status
  • [6] We use WireGuard for internal communication between Scanpay servers.