Introduction

Pay Ready users trust us with billions of clients, information, and personal details. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Account Security

Pay Ready never stores your password in plaintext. While we don’t require you to set a complex password, we encourage you to choose a strong one.

Email Security

Pay Ready gives you a way to create notes in your account by sending emails to a unique Pay Ready email address. To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine.

When you receive an email from Pay Ready, we want you to be confident that it really came from us. We publish an enforcing DMARC policy to improve your confidence that email you receive from Pay Ready is legitimate. Every email we send from @PayReady.com and @centralbillingmgr.com will be cryptographically signed using DKIM and originate from an IP address we publish in our SPF record.

Product Security

Securing our Internet-facing web service is critically important to protecting your data. Our security team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.

Customer Segregation

The Pay Ready service is multi-tenant and does not segment your data from other users’ data. Your data may live on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it. See the Product Security section for how we enforce our authorization model for access to private and shared content.

Data Destruction

Pay Ready retains your content unless you take explicit steps to delete it. Deactivating a personal account or revoking access to a business account does not automatically remove content.

Media Disposal and Destruction

We never repurpose storage media for use outside our production environment if it has ever been used to store user data. We have procedures to securely destroy storage media by degaussing and physically smashing prior to disposal.

Customer Account Access

Pay Ready, like most web apps, has an administrative tool. This tool allows our customer service and platform administration teams to resolve customer issues. We limit who has access to customer data within this administration tool based on business need and strongly authenticate that access.

We periodically review employee access to customer accounts to identify administrative abuse and minimize the situations where we might need to access account content in the future.

Activity Logging

The Pay Ready service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. These logs also include successful and unsuccessful login events. We do not automatically collect activity logs from our software clients.

Transport Encryption

Pay Ready uses industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. In addition, we support HTTP Strict Transport Security (HSTS) for the Pay Ready service (app.payready.com). We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers and clients that support it and backward compatibility for legacy clients that need it. We plan to continue improving our transport security posture to support our commitment to protecting your data.