Security

Certifications and compliance

• PCI-DSS Level 1 — the highest level for card processors. Annual third-party audit.
• Reserve Bank of Malawi — licensed payments services provider.
• GDPR-aligned — applies to all EU/UK customer data we handle.
• SOC 2 Type II — in progress, expected Q3 2026.

Data encryption

• TLS 1.3 for data in transit (everywhere).
• AES-256 for data at rest.
• Card data tokenised — we never store raw PANs.
• Database encryption at the column level for sensitive fields.

Access control

• Role-based access for every Letts Commerce account.
• SSO via SAML / OIDC for Enterprise plans.
• 2FA available on every account; required for owners.
• Engineer access to production is logged, time-bound, and reviewed monthly.

Infrastructure

• Hosted on enterprise-grade cloud infrastructure with 99.99% SLA.
• Multi-region redundancy in production.
• Daily encrypted backups, retained 90 days.
• DDoS protection at the edge.

Audit and monitoring

• Every transaction is logged immutably.
• Suspicious activity flagged via real-time anomaly detection.
• Quarterly penetration tests by independent firms.
• Bug bounty program (contact us for scope and rules).

Incident response

We have a documented incident-response process. In the event of a security incident affecting your data, we will notify you within 72 hours of discovery and provide ongoing updates until resolution.

Reporting a vulnerability

Found something? Email security@lettscommerce.com. PGP key on request. We acknowledge within 24 hours and don’t pursue legal action against good-faith researchers who follow our disclosure guidelines.

Security questions

Enterprise security review packets, third-party audit reports, and additional documentation are available under NDA. Email hello@lettscommerce.com.