Does PayNugget store my customers' credit card numbers?

No. Card payments are processed by Stripe, a PCI DSS Level 1 certified provider. Sensitive card data is sent directly to Stripe and never touches or is stored on PayNugget servers.

Is my data encrypted?

Yes. All traffic to PayNugget is encrypted in transit with TLS (HTTPS), and data stored in our database is encrypted at rest by our infrastructure providers. Secrets and credentials are kept out of source code and injected at runtime.

Are you SOC 2 or ISO 27001 certified?

Not yet. We are an early-stage product and we will not claim certifications we do not hold. This page describes the security posture we have designed and operate today; formal audits are on our roadmap as we grow.

Who can access my account data internally?

Access follows least-privilege principles: only a small number of authorized team members can access production systems, and only when needed to operate the service or help you with a support request.

Can I get my data out if I want to leave?

Always. You own your data and can export your customers and invoices in one click, in a portable format, at any time. There is no lock-in. See our data-export feature for details.

How do I report a security issue?

Email security@paynugget.com with details. We take reports seriously and will acknowledge and investigate responsibly disclosed vulnerabilities.

Security & trust

How PayNugget protects your money and your data

You are trusting us with your invoices, your customers, and the way you get paid. Here is a plain, honest description of the security posture we've designed — including what we do and what we don't yet claim.

Start free Read our privacy policy

Card data goes straight to Stripe · encrypted in transit and at rest

vs ~$29 on a card

Invoice #1042

$1,000

Paid

Paid by: Bank transfer (ACH)
Processing fee: $4
You keep: $996

Our approach

How does PayNugget keep my data safe?

PayNugget protects your data with encryption in transit (TLS) and at rest, sends card numbers straight to Stripe (PCI DSS Level 1) so they never touch our servers, limits production access on a least-privilege basis, and lets you export everything in one click. We do not yet claim SOC 2 or ISO 27001 certifications.

We keep the attack surface small, lean on proven providers for the hardest problems, and give you control over your own data.

The pillars

Four things we get right by default

Card data we never hold

Card payments run through Stripe (PCI DSS Level 1). Card numbers are sent directly to Stripe's vault and are never stored on our systems — so a PayNugget breach can't expose your customers' card details.

Encryption everywhere it matters

Every connection to PayNugget uses TLS (HTTPS). Data in our database is encrypted at rest by our hosting provider. Credentials and secrets live in a secure environment, never in our codebase.

Least-privilege access

Production access is limited to a small set of authorized team members and granted only when needed to run the service or resolve a support request. We log and review administrative actions.

You own and control your data

Your customer and invoice records are yours. Export them in one click anytime, and request deletion when you close your account. No lock-in means you are never trapped by a vendor decision.

See one-click export

The smaller the target

The safest data is the data we never store

Card numbers go straight to Stripe — so a PayNugget breach can't expose them.

Why we keep card data at Stripe

By keeping sensitive card and bank details with our PCI-certified payments provider, we shrink what we have to secure — and what could ever be at risk.

The details

A closer look at our controls

Payments & PCI scope

We deliberately keep card data out of our environment. Stripe handles card tokenization, processing, and storage, which means sensitive cardholder data never reaches PayNugget. For ACH bank payments, bank account details are likewise handled by our payments provider rather than stored in plaintext by us. This minimizes our PCI scope and the amount of sensitive data we are responsible for.

Encryption & secrets

All client-to-server traffic is protected with TLS. Database contents are encrypted at rest by our infrastructure providers. Application secrets such as API keys and database credentials are injected at runtime from a secure configuration store and are not committed to source control.

Infrastructure & sub-processors

PayNugget runs on established cloud infrastructure. We use Vercel for hosting and edge delivery, Neon for our managed PostgreSQL database, and Stripe for payments. Each is a reputable provider with its own security program. The full list of sub-processors and the data they handle is in our privacy policy.

Access control & monitoring

We follow least-privilege principles for internal access to production systems and customer data. Authentication is required for all account access, and we work to keep dependencies patched and our systems up to date. As the team and product grow, we plan to formalize these practices through independent audits.

What we don't claim

no badges we haven't earned

We will be straight with you: PayNugget is an early-stage product, and we do not yet hold SOC 2, ISO 27001, or similar certifications. We are not going to put a badge on this page that we haven't earned. What we describe here is the posture we operate today, and we will update this page as our security program matures.

Found a vulnerability?

We welcome responsible disclosure. Email security@paynugget.com with details and we'll investigate promptly. Please give us a reasonable window to remediate before any public disclosure.

Related at PayNugget

Privacy policy
What we collect, our sub-processors, and your CCPA rights.
One-click data export
Your records are yours. Take everything with you, anytime.
Terms of service
Accounts, fees, payments, and acceptable use.
About PayNugget
Why we only claim what we can back up.

Read the privacy policy, see one-click data export, review the terms of service, or learn more about PayNugget.

Security FAQ

Straight answers about how we protect your data.

Does PayNugget store my customers' credit card numbers?: No. Card payments are processed by Stripe, a PCI DSS Level 1 certified provider. Sensitive card data is sent directly to Stripe and never touches or is stored on PayNugget servers.
Is my data encrypted?: Yes. All traffic to PayNugget is encrypted in transit with TLS (HTTPS), and data stored in our database is encrypted at rest by our infrastructure providers. Secrets and credentials are kept out of source code and injected at runtime.
Are you SOC 2 or ISO 27001 certified?: Not yet. We are an early-stage product and we will not claim certifications we do not hold. This page describes the security posture we have designed and operate today; formal audits are on our roadmap as we grow.
Who can access my account data internally?: Access follows least-privilege principles: only a small number of authorized team members can access production systems, and only when needed to operate the service or help you with a support request.
Can I get my data out if I want to leave?: Always. You own your data and can export your customers and invoices in one click, in a portable format, at any time. There is no lock-in. See our data-export feature for details.
How do I report a security issue?: Email security@paynugget.com with details. We take reports seriously and will acknowledge and investigate responsibly disclosed vulnerabilities.

Invoice with confidence

Start free today. Your card data goes to Stripe, your records stay yours, and you can export everything in one click.

Start free Read the privacy policyTakes about 2 minutes.