We use Stripe's enterprise infrastructure, cryptographic delivery proofs, and regulated financial institutions. Your money is never in our bank accounts.
Payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor trusted by Amazon, Google, and Shopify. We never touch or store your card details.
Stripe Technology Europe Ltd is an Electronic Money Institution (EMI) regulated by the Central Bank of Ireland. Your money is held in segregated accounts, not in Holdy's.
Every delivery is cryptographically hashed and timestamped. If a dispute arises, we have immutable proof of what was delivered and when.
Every seller completes Stripe KYC verification before they can receive payments. Real identity, real bank account, verified by a regulated financial institution.
All data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256. No unencrypted HTTP anywhere.
Database access is locked down with row-level security. You can only see your own transactions — not even our engineers can access them without proper authorization.
Primary data stored in EU data centers (Frankfurt). GDPR-compliant by default. Daily encrypted backups with 30-day retention.
Passwords hashed with bcrypt. Email verification required. Rate limiting on every endpoint. Session tokens with strict expiration.
Every transaction is screened by Stripe Radar using machine learning trained on billions of transactions across the Stripe network.
Every action is logged: deals created, payments made, disputes opened. Immutable audit trail for every transaction, queryable by you.
Full GDPR compliance including right to access, rectification, and erasure. Clear data processing agreements with all our sub-processors. See our Privacy Policy.
All sellers pass AML (Anti-Money Laundering) and KYC (Know Your Customer) checks via Stripe before they can receive payments. Identity verification, document checks, and ongoing monitoring.
Full PSD2 compliance for European payment services. Strong Customer Authentication (SCA) enforced on all transactions through Stripe.
Operating as a Dutch entity (WebInstal, KvK 78581672), subject to Dutch consumer law and the Wwft (anti-money laundering act).
We take security seriously. If you've found a security issue, please report it responsibly.
security@getholdy.com