vebbopay.com - programmable money

1. Security Overview and Commitment

At VebboPay, security is foundational to everything we build. As an autonomous financial agentic AI payments and processor platform, we recognise that our users entrust us with their most sensitive financial data and the authority to execute transactions on their behalf through AI-driven agents. This responsibility demands an uncompromising approach to security at every layer of our infrastructure, applications, and operations.

Cibeeo Inc SRL maintains a comprehensive information security programme designed to protect the confidentiality, integrity, and availability of our systems and data. Our security programme is informed by industry-leading frameworks, regulatory requirements including DORA and GDPR, and continuous threat intelligence. We invest in defence-in-depth strategies, ensuring that multiple independent layers of security controls protect against both known and emerging threats.

2. Infrastructure Security

2.1 Encryption

VebboPay employs robust encryption to protect data both at rest and in transit:

Encryption at Rest: All data stored within VebboPay's systems is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), one of the strongest block cipher algorithms available. This includes databases, file storage, backups, and logs containing sensitive information. Encryption keys are managed through a dedicated key management service with strict access controls, automated rotation, and hardware security module (HSM) backing.
Encryption in Transit: All data transmitted between VebboPay's clients and servers, between internal services, and between VebboPay and third-party partners is protected using TLS 1.3 (Transport Layer Security version 1.3). We enforce the latest cipher suites and disable legacy protocols. HTTP Strict Transport Security (HSTS) is enforced across all domains, and we employ certificate pinning where applicable for mobile clients.

2.2 Network Segmentation

Our infrastructure employs strict network segmentation to isolate critical systems and limit the blast radius of any potential compromise. Production environments are separated from development and staging environments. Payment processing systems operate in dedicated, hardened network segments with granular firewall rules permitting only necessary traffic flows. Internal services communicate over private networks that are not directly accessible from the public internet.

2.3 DDoS Protection

VebboPay utilises multi-layered distributed denial-of-service (DDoS) protection to ensure the availability of our services. Our defences include volumetric attack mitigation at the network edge, application-layer filtering to detect and block sophisticated attack patterns, rate limiting and traffic shaping to prevent abuse, and real-time monitoring with automated response capabilities. We maintain relationships with leading DDoS mitigation providers and conduct regular capacity planning to ensure resilience against large-scale attacks.

2.4 Redundancy and Backup

VebboPay's infrastructure is designed for high availability and disaster recovery:

Geographic Redundancy: Critical services are deployed across multiple availability zones within the European Union, ensuring continuity even in the event of a data centre failure.
Automated Backups: All databases and critical data stores are backed up automatically at regular intervals. Backups are encrypted using AES-256 and stored in geographically separate locations from the primary data.
Recovery Testing: Disaster recovery and backup restoration procedures are tested regularly to ensure that recovery time objectives (RTO) and recovery point objectives (RPO) are consistently met.
Failover Systems: Automated failover mechanisms ensure that service interruptions are minimised, with load balancers and health checks continuously monitoring service availability.

3. Application Security

3.1 Secure Development Lifecycle (SDLC)

VebboPay integrates security throughout the software development lifecycle. Security requirements are defined during the design phase, threat modelling is conducted for new features and architectural changes, and security considerations are embedded in every stage from development through deployment. We employ static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) as part of our CI/CD pipeline to identify and remediate vulnerabilities before code reaches production.

3.2 Code Reviews

All code changes undergo mandatory peer review before merging, with a specific focus on security implications. Security-critical code — including authentication, authorisation, payment processing, cryptographic operations, and AI agent logic — undergoes additional review by senior engineers with security expertise. We maintain coding standards and security guidelines that are enforced through automated linting and manual review processes.

3.3 Penetration Testing

VebboPay engages qualified, independent third-party security firms to conduct penetration testing on a regular basis, at minimum annually, and following any significant changes to our infrastructure or application. Penetration tests cover external-facing services, internal network security, web and API security, and mobile application security. Findings are prioritised by severity and remediated according to strict timelines.

3.4 Vulnerability Management

Our vulnerability management programme includes continuous scanning of all infrastructure and application components, tracking of all identified vulnerabilities in a centralised system, risk-based prioritisation and remediation timelines (critical vulnerabilities are addressed within 24 hours), patch management processes ensuring timely application of security updates, and monitoring of public vulnerability databases and security advisories relevant to our technology stack.

3.5 Bug Bounty Programme

VebboPay maintains a bug bounty programme to encourage responsible security research by the broader community. Security researchers who identify and responsibly disclose valid security vulnerabilities in our systems are eligible for monetary rewards commensurate with the severity and impact of the finding. Details of the programme scope, rules of engagement, and reward structure are available through our responsible disclosure policy (see Section 10 below).

4. Data Security

4.1 Encryption

Beyond infrastructure-level encryption, VebboPay implements application-level encryption for particularly sensitive data elements. Payment card data, personal identification numbers, biometric templates, and cryptographic key material are encrypted using dedicated encryption keys with restricted access. Field-level encryption ensures that sensitive data remains protected even within internal systems and databases.

4.2 Access Controls

VebboPay enforces the principle of least privilege across all systems. Access to production systems, customer data, and sensitive internal resources is granted on a need-to-know basis and is subject to:

Role-based access control (RBAC) with clearly defined roles and permissions.
Multi-factor authentication for all administrative and privileged access.
Just-in-time (JIT) access provisioning for elevated privileges, with automatic expiration.
Regular access reviews and certification processes to remove unnecessary permissions.
Separation of duties for critical operations, ensuring no single individual can unilaterally perform high-risk actions.

4.3 Audit Logging

Comprehensive audit logs are maintained for all system activities, including user actions, administrative operations, data access, authentication events, and AI agent activities. Logs are stored in a tamper-evident manner, protected from unauthorised modification or deletion, and retained for the period required by applicable regulations. Our security operations team monitors logs in real-time using security information and event management (SIEM) systems, with automated alerting for suspicious or anomalous activity.

4.4 Data Classification

VebboPay maintains a formal data classification policy that categorises all data based on sensitivity and regulatory requirements. Data is classified into four tiers:

Restricted: Payment card data, cryptographic keys, authentication credentials, and biometric data — subject to the highest level of protection and access restrictions.
Confidential: Personal financial data, transaction records, KYC/AML documentation, and AI agent configurations — protected by strong encryption and limited access.
Internal: Business operational data, internal communications, and system configurations — accessible to authorised employees on a need-to-know basis.
Public: Marketing materials, published documentation, and publicly accessible content — no access restrictions.

5. Authentication Security

5.1 Multi-Factor Authentication (MFA)

VebboPay requires multi-factor authentication for all user accounts. Our MFA implementation supports multiple second-factor methods, including time-based one-time passwords (TOTP) via authenticator applications, hardware security keys supporting FIDO2/WebAuthn, SMS-based verification codes (with recommendation to use stronger alternatives), and push notification-based authentication. MFA is mandatory for all sensitive operations, including payment initiation, agent configuration changes, and account settings modifications.

5.2 Biometric Support

For mobile and compatible devices, VebboPay supports biometric authentication, including fingerprint recognition and facial recognition, as a convenient and secure authentication factor. Biometric data is processed and stored exclusively on the user's device and is never transmitted to or stored on VebboPay's servers. Biometric authentication leverages platform-native secure enclaves (e.g., Apple Secure Enclave, Android Keystore) to ensure that biometric templates cannot be extracted or replicated.

5.3 Session Management

VebboPay implements strict session management controls to prevent session hijacking and unauthorised access:

Sessions are bound to the authenticated user's device and IP address characteristics.
Inactivity timeouts automatically terminate idle sessions after a configurable period.
Concurrent session limits prevent unauthorised parallel access from multiple locations.
Session tokens are regenerated upon privilege escalation or authentication state changes.
Users can view and revoke active sessions through their account security settings.

5.4 JWT Token Security

VebboPay uses JSON Web Tokens (JWT) for API authentication and authorisation. Our JWT implementation follows security best practices:

Tokens are signed using strong asymmetric algorithms (RS256 or ES256) with regularly rotated signing keys.
Token lifetimes are kept short, with refresh token rotation to minimise the window of exposure.
JWTs contain only the minimum necessary claims and never include sensitive data such as passwords or financial account numbers.
Token validation includes signature verification, expiration checking, issuer and audience validation, and revocation status checks.
A token revocation mechanism allows immediate invalidation of compromised tokens.

6. AI Agent Security

VebboPay's autonomous AI agents operate with unique security requirements given their ability to execute financial transactions independently. We have designed specialised security controls to ensure the integrity and safety of agent operations.

6.1 Cryptographic Key Pair Generation

Each AI agent provisioned on VebboPay is assigned a unique cryptographic key pair (public/private) generated using cryptographically secure random number generators. These key pairs serve as the agent's digital identity and are used to sign all transactions and communications originating from the agent. Key generation adheres to industry standards for key length and algorithm selection, ensuring resistance against known cryptographic attacks.

6.2 Encrypted Private Keys at Rest

Agent private keys are encrypted at rest using AES-256 encryption and stored in a dedicated, access-controlled key vault. Private keys are decrypted only in secure memory at the time of transaction signing and are never written to disk in plaintext, included in logs or diagnostic outputs, or transmitted over any network in unencrypted form. Access to the key vault is restricted to the agent runtime environment and is subject to comprehensive audit logging.

6.3 Agent-to-Agent Transfer Validation

When AI agents interact with one another — for example, during multi-agent payment orchestration or delegation of financial tasks — VebboPay enforces strict validation protocols:

Mutual authentication between agents using their respective cryptographic identities.
Verification that the originating agent has the authority and budget to initiate the requested action.
Validation of transfer parameters against the receiving agent's configured acceptance criteria.
Cryptographic signing and verification of all inter-agent messages to prevent tampering or replay attacks.
Complete audit trail of all agent-to-agent interactions for compliance and dispute resolution purposes.

6.4 Spending Limit Enforcement

VebboPay implements multi-layered spending limit enforcement for AI agents:

Per-Transaction Limits: Each agent has a configurable maximum per-transaction amount that cannot be exceeded.
Daily/Weekly/Monthly Budgets: Aggregate spending limits are enforced over configurable time periods, with automatic suspension when limits are reached.
Velocity Controls: Limits on the number of transactions an agent can execute within a given time window to detect and prevent runaway behaviour.
Hierarchical Limits: Organisational and account-level limits that cap total agent spending regardless of individual agent configurations.
Real-Time Enforcement: All spending limits are evaluated in real-time before transaction execution, with no possibility of post-hoc enforcement.

7. Incident Response

7.1 72-Hour GDPR Breach Notification

In accordance with Article 33 of the General Data Protection Regulation (GDPR), VebboPay is committed to notifying the relevant supervisory authority of any personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals directly in accordance with Article 34, providing clear information about the nature of the breach, its likely consequences, and the measures taken or proposed to address it.

7.2 Incident Classification

VebboPay classifies security incidents according to severity to ensure proportionate response:

Critical (P1): Active breach with confirmed data exfiltration, ransomware, or compromise of payment processing systems. Requires immediate mobilisation of the full incident response team.
High (P2): Confirmed security incident with potential for data exposure or service disruption, but no evidence of active exfiltration. Requires response within 1 hour.
Medium (P3): Attempted attack or vulnerability exploitation with limited impact, or potential security weakness identified through monitoring. Requires response within 4 hours.
Low (P4): Security anomaly or policy violation with minimal risk, such as a single failed authentication attempt from an unusual location. Requires review within 24 hours.

7.3 Incident Response Team

VebboPay maintains a dedicated incident response team comprising members from security engineering, infrastructure operations, legal and compliance, communications, and executive management. The team operates under a defined incident commander structure and follows established runbooks for various incident types. Team members undergo regular training, including simulated incident exercises and tabletop scenarios, to maintain readiness.

7.4 Communication Procedures

During a security incident, VebboPay follows structured communication procedures:

Internal communications are conducted through secure, dedicated channels separate from production systems.
Affected users are notified promptly with clear, actionable information about the incident and any steps they should take.
Regulatory authorities are notified within the timeframes required by applicable law, including the 72-hour GDPR notification and DORA incident reporting requirements.
Post-incident reports are prepared and shared with relevant stakeholders, including root cause analysis, impact assessment, and remediation measures.
A public-facing status page provides real-time updates on service availability during significant incidents.

8. Compliance Certifications

8.1 DORA Compliance

VebboPay has implemented the requirements of the Digital Operational Resilience Act (DORA) as detailed in our Regulatory Compliance page. Our ICT risk management framework, incident reporting procedures, resilience testing programme, and third-party oversight arrangements are designed to meet the operational resilience standards mandated by DORA for financial entities operating within the EU.

8.2 PCI DSS Alignment

VebboPay's payment processing infrastructure is designed in alignment with the Payment Card Industry Data Security Standard (PCI DSS). We implement the relevant controls across all twelve PCI DSS requirement domains, including network security, access control, encryption, monitoring, and security policy management. Our payment card handling processes leverage tokenisation and point-to-point encryption to minimise the scope of cardholder data exposure.

8.3 SOC 2 Aspirations

VebboPay is working toward obtaining SOC 2 Type II certification, which will provide independent third-party attestation of our security, availability, processing integrity, confidentiality, and privacy controls. We have engaged with a qualified auditing firm and are in the process of formalising the controls and evidence collection necessary to complete the SOC 2 examination. We anticipate completing our initial SOC 2 Type II audit within the next reporting period.

9. Physical Security

9.1 Cloud Infrastructure Providers

VebboPay's infrastructure is hosted exclusively within European Union data centres operated by leading cloud infrastructure providers. Our cloud partners maintain comprehensive physical security controls, including:

24/7 on-site security personnel and surveillance systems.
Multi-layered physical access controls, including biometric authentication, access badges, and security checkpoints.
Environmental controls protecting against fire, flood, power failure, and other physical threats.
Redundant power supply with uninterruptible power systems (UPS) and backup generators.
Compliance with ISO 27001, SOC 2, and other recognised information security certifications.

9.2 Data Residency

All customer data processed by VebboPay is stored and processed within data centres located in the European Union, in compliance with GDPR data localisation principles and in line with our commitment to data sovereignty. We do not transfer personal data outside the EEA unless adequate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, are in place.

10. Responsible Disclosure Policy

VebboPay values the security research community and welcomes responsible disclosure of security vulnerabilities. If you believe you have discovered a security vulnerability in our systems, we encourage you to report it to us promptly so that we can investigate and remediate the issue.

10.1 How to Report

Please send vulnerability reports to security@vebbopay.com. Where possible, encrypt your report using our PGP key (available on our security page). Include a detailed description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code or screenshots.

10.2 Our Commitments

We will acknowledge receipt of your report within 2 business days.
We will provide an initial assessment and expected timeline for remediation within 5 business days.
We will keep you informed of the progress toward resolution.
We will not pursue legal action against researchers who comply with our responsible disclosure policy.
We will credit researchers (with their permission) in our security acknowledgements.

10.3 Scope and Rules of Engagement

We ask that security researchers act in good faith, avoid accessing or modifying other users' data, do not perform denial-of-service attacks, do not engage in social engineering of VebboPay employees, and provide us with a reasonable period to address the vulnerability before any public disclosure. Vulnerabilities in third-party services or platforms integrated with VebboPay should be reported to the respective third-party provider.

Contact

For security-related inquiries, incident reports, or questions about our security practices, please contact:

Security Team: security@vebbopay.com
Data Protection Officer: dpo@vebbopay.com
Compliance Department: compliance@vebbopay.com