Security

Security & Compliance

IPPAN Pay is built for regulated environments. Every transaction produces a deterministic, verifiable proof anchored to IPPAN L2. Access controls, audit logging, and key management are first-class primitives -- not afterthoughts.

Role-based access controls

Assign granular permissions to team members across environments. Separate operator, viewer, and admin roles ensure least-privilege access to sensitive payment operations and settlement data.

Immutable audit logs

Every API call, dashboard action, and configuration change is recorded in a tamper-evident audit log. Logs are retained for 7 years and exportable in structured JSON for compliance review.

Webhook signature verification

All webhook payloads are signed with HMAC-SHA256 using a per-endpoint secret. SDKs include constant-time verification helpers to prevent timing side-channel attacks.

API key hygiene

Keys are scoped to individual environments (sandbox, production) and can be rotated instantly without downtime. Revoked keys are rejected within milliseconds across all edge nodes.

Compliance exports

Generate audit-ready exports for SOC 2, financial regulators, and internal compliance teams. Settlement proofs, transaction logs, and access records are available in CSV, JSON, and PDF.

Operational monitoring

Real-time dashboards surface anomalous transaction patterns, failed authentication attempts, and settlement delays. Configurable alerting integrates with PagerDuty, Slack, and email.

Deterministic settlement proofs

Every settlement batch produces a cryptographic proof that can be independently verified against the IPPAN L2 state root. No trust assumptions required -- any auditor, regulator, or counterparty can confirm finality.

proof-verification.ts

import { IppanPay } from "@ippan/pay-sdk";

const client = new IppanPay({ apiKey: process.env.IPPAN_API_KEY! });

// Retrieve and independently verify a settlement proof
const proof = await client.proofs.retrieve("prf_Kx7mNv3pQr");

console.log(proof.verified);         // true
console.log(proof.hash);             // "0x8a3f...c7d1"
console.log(proof.block_height);     // 1482937
console.log(proof.verification_url);
// "https://explorer.l2.ippan.com/proof/prf_Kx7mNv3pQr"

// Proofs can also be verified directly against
// the IPPAN L2 state root without trusting this API.

Infrastructure security

The platform is designed to meet the operational requirements of financial institutions and regulated payment processors.

Encryption in transit and at rest

All API traffic is encrypted with TLS 1.3. Sensitive data at rest is encrypted with AES-256-GCM. Key material is managed through hardware security modules.

Penetration testing

Independent third-party penetration tests are conducted quarterly. Findings are remediated within defined SLAs and results are available to enterprise customers under NDA.