Does CloudPaya hold my crypto funds?

No. CloudPaya is non-custodial. Payments go directly from the customer's wallet to the merchant's wallet on the blockchain. CloudPaya never holds, controls, or has access to merchant funds.

How does CloudPaya protect merchant data?

All connections use HTTPS/TLS encryption. Each merchant account uses an isolated database. API keys are hashed. Passwords are bcrypt-hashed. No wallet private keys are ever stored.

What happens if CloudPaya goes offline?

Your funds are safe. Because CloudPaya is non-custodial, your crypto is already in your wallet. CloudPaya downtime only affects new payment request generation and webhook notifications — existing funds are unaffected.

How do I report a security vulnerability?

Email security@cloudpaya.com with details. We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.

Security & Transparency — CloudPaya Crypto Payment Gateway

Non-Custodial Architecture = Security by Design

The most important security feature of CloudPaya is what we don't do: we never hold your money.

Most payment processors are custodial — they receive customer payments into their own wallets, then pay you later. This creates a single point of failure and a high-value attack target. If they get hacked, your money is at risk. If they go bankrupt, your money is stuck.

CloudPaya eliminates this entirely. Our non-custodial model means:

Fund Safety

Your wallet, always

Customer payments go directly to your wallet address on the blockchain. CloudPaya generates unique derived addresses tied to your wallet — we never have access to the private keys.

Zero Custody Risk

Nothing to steal

CloudPaya's servers do not store any cryptocurrency. Even if our systems were compromised, there are no funds to take. Attackers cannot steal what does not exist.

Downtime Resilience

Funds survive outages

If CloudPaya goes offline, your funds are safe — they are already in your wallet. Downtime only affects new payment request generation, not existing funds.

Verifiable

Blockchain is the proof

Every transaction is recorded on a public blockchain. You can independently verify any payment using a block explorer. No trust required — only math.

Data Security

While we do not hold funds, we do handle merchant account data responsibly:

Layer	Protection
Transport	All traffic encrypted via HTTPS/TLS. HTTP requests are redirected to HTTPS.
Authentication	Passwords are hashed with bcrypt. API keys are hashed and never stored in plaintext.
Database isolation	Each merchant account uses an isolated database. Cross-tenant access is architecturally impossible.
Private keys	CloudPaya never stores wallet private keys. We only store public wallet addresses for payment monitoring.
Webhooks	Webhook payloads include a signature hash that merchants can verify to confirm authenticity.
Admin access	The cloud admin panel is IP-restricted and requires separate authentication.

Fee Transparency

CloudPaya's fee structure is published, predictable, and has no hidden costs:

Transaction Amount	Fee
Under $100	1% + $0.30
$100 — $999	0.8% + $1.00
$1,000+	0.5% + $2.00

No monthly fees. No setup fees. No minimum transaction requirements.
No withdrawal fees. Funds go directly to your wallet — there is nothing to withdraw.
Network fees are paid by the sender (customer) as part of the blockchain transaction, not by the merchant.

What We Store vs. What We Don't

We Store

Merchant email address and hashed password
Public wallet addresses (for payment monitoring)
Transaction metadata (amount, status, timestamps)
API request logs (for debugging and rate limiting)
Dashboard settings and preferences

We Never Store

Wallet private keys or seed phrases
Customer personal data (name, address, ID)
Credit card or bank account numbers
Cryptocurrency funds or balances
Plaintext passwords or API keys

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in CloudPaya, we ask that you report it responsibly:

How to report

Email security@cloudpaya.com with:

A description of the vulnerability
Steps to reproduce
The potential impact

Our commitment

We will acknowledge your report within 48 hours.
We will provide an initial assessment within 5 business days.
Critical vulnerabilities will be prioritized for fix within 7 days.
We will not take legal action against researchers who report vulnerabilities in good faith.

Please do not publicly disclose vulnerabilities before we have had a chance to address them.

Security FAQ

What happens if CloudPaya gets hacked?

Your funds are safe. CloudPaya does not hold cryptocurrency. An attacker could potentially access merchant emails and transaction metadata, but not funds — because there are none on our servers.

What happens if CloudPaya shuts down?

Your funds are in your wallet. They have always been in your wallet. You lose access to the dashboard and API, but not your money. Transaction history can be verified on-chain independently.

Can CloudPaya freeze my funds?

No. We cannot freeze, reverse, or withhold blockchain transactions. Once a customer sends crypto to your wallet, it is yours. We have no technical ability to interfere with on-chain funds.

Is CloudPaya PCI-DSS compliant?

PCI-DSS applies to card payment data. CloudPaya does not process credit cards and does not collect card numbers, so PCI-DSS does not apply. We follow equivalent data security standards for the data we do handle.

Security & Transparency