Legal

Compliance Overview

Last updated: June 1, 2026

SecondSwype is built on a security-first architecture. We process zero raw card data — tokenization happens before any data reaches our systems. This page summarizes our compliance posture and security controls.

PCI DSS via VGS

SecondSwype does not store, process, or transmit raw Primary Account Numbers (PANs). All card data is tokenized at the point of capture by Very Good Security (VGS), a PCI DSS Level 1 certified vault provider. Only tokens and non-sensitive payment metadata are passed to the S2 Engine.

PCI DSS Level 1 — via VGS

No raw PAN stored or processed

Tokenization Architecture

Our architecture separates sensitive cardholder data from the intelligence layer:

Customer card data is captured by your existing checkout and immediately tokenized by VGS.
VGS returns a format-preserving token that preserves BIN and last-four for routing logic.
The S2 Engine receives only the token, BIN-level signals, and transaction metadata — never the raw PAN.
Recovery routes are executed using the token, ensuring raw card data never leaves the VGS vault.

Data Residency

All transaction data is processed and stored in the United States (AWS us-east-1 and us-west-2). For merchants requiring EU data residency, contact compliance@secondswype.com to discuss options.

Security Controls

Encryption in transit: TLS 1.2+ on all API endpoints and dashboard connections.
Encryption at rest: AES-256 for all stored data via AWS KMS.
Access control: Role-based access, MFA required for all production access.
Network security: VPC isolation, WAF, and DDoS protection via AWS Shield.
Vulnerability management: Annual third-party penetration testing, continuous dependency scanning.
Incident response: Documented IR plan with 72-hour breach notification SLA.

Certifications (In Progress)

SOC 2 Type II — audit in progress, expected Q4 2026
ISO 27001 — roadmap item for 2027

Responsible Disclosure

If you discover a security vulnerability in our platform, please report it to security@secondswype.com. We commit to acknowledging reports within 2 business days and resolving confirmed vulnerabilities within 90 days. We do not take legal action against good-faith security researchers.

Questions

For compliance documentation, BAA requests, or security questionnaires, contact compliance@secondswype.com.