Trust posture, ready for procurement review

Security as architecture, not policy.

The four most-asked questions from procurement teams, answered concretely. Plus how customer data, audit, and incident isolation work in practice, at a level your security team can verify.

The four questions

What procurement asks. What we answer.

Where does my data live?

In a database that only your store can read. There is no master key into your store's data, no shared admin path, no shared encryption key. Every Cardem store has a dedicated database, dedicated storage, and dedicated signing keys. The customer data lives behind your store's keys.

If we receive a legal request directed at us, we can produce infrastructure-level metadata only. Your customer records remain with your store.

What if there's a security incident?

A security event affecting one customer cannot reach another. Each customer has dedicated keys, dedicated secrets, and a dedicated data plane. Cross-customer impact is prevented by design, not by careful coding alone.

Our incident response is documented: detect, isolate the affected store, preserve evidence, communicate within four hours, root-cause within seventy-two hours. Other stores are unaffected by design.

How do you handle GDPR and data subject rights?

GDPR is the universal baseline regardless of where your customers live. Right to access via a downloadable export within thirty days. Right to erasure within thirty days, with documented retention rules for tax and customs traceability. Right to rectification via self-service profile editing. Right to portability in machine-readable form.

Data Processing Agreements are ready for institutional buyers. The sub-processor list is published and updated when it changes. Your customers can submit requests through the self-service portal without operator involvement.

How do you authenticate?

Strong password hashing with breach-database checking at signup, password change, and login. Short-lived access sessions with rotating refresh sessions that detect and block stolen-session replay. Two-factor authentication is mandatory for admins and wholesale buyers, optional for retail.

Account-enumeration attempts are blocked through constant-time responses. Login attempts are rate-limited per IP, per account, and per email with escalating lockouts. Every authentication event is captured in the audit log.

Defenses, by layer

Stack mapped to threat. No theatre.

Identity

  • Strong password hashing
  • Breach-database check on every password event
  • Constant-time response on failed login
  • Rate limit per IP and per account
  • Email enumeration shielded
  • Self-service two-factor enrolment
  • Two-factor mandatory for admins and wholesale

Sessions

  • Short-lived access sessions
  • Rotating refresh sessions
  • Stolen-session replay detection
  • Compromised session triggers logout of all devices
  • User notified by email on revocation
  • Active sessions listing with remote sign-out
  • Cookies hardened with strict policies

Data

  • Dedicated database for your store
  • Dedicated object storage
  • Dedicated secrets and signing keys
  • Customer data encrypted at rest
  • Image EXIF stripped on upload
  • Sensitive documents accessed by short-lived links
  • No global admin path into customer data

Audit

  • Append-only log, no edit, no delete
  • Tamper-evident chain across entries
  • Daily integrity check
  • Alert on chain break, immediate
  • Seven-year retention
  • All financial and auth events captured
  • Operator cannot tamper invisibly

Edge

  • Web application firewall
  • DDoS protection at the edge
  • Bot challenges on auth and checkout
  • Bot scoring with custom rules
  • Rate limit by IP, account, and email
  • Strict transport security headers
  • Custom domains with managed certificates

Process

  • External penetration test before public launch
  • Bug bounty programme post-launch
  • Mandatory code review on every change
  • Dependency vulnerability scanning
  • Secret scanning on commits
  • Quarterly access review per store
  • Documented incident response runbook
Compliance posture

GDPR baseline. ISO-aligned process. Card-data offloaded.

Cardem doesn't process or store card numbers. That responsibility sits with the payment provider where it belongs.

Standard or regulation Cardem position Status
GDPR Universal baseline regardless of customer location. Right to access, erasure, rectification, portability. Data Processing Agreements ready for institutional buyers. Adopted
PCI-DSS Card data offloaded to provider. Cardem operates outside PCI scope by design. Out of scope
SOC 2 Underlying infrastructure inherits SOC 2 Type II. Cardem readiness audit scheduled when our customer base requires it. Roadmap
ISO 27001 Process documentation aligned to ISO 27001 controls. Formal certification when customer base requires it. Aligned
CCPA Subject rights handled within GDPR baseline. "Do Not Sell" honoured by default. Adopted
HIPAA Cardem is not a HIPAA-suitable platform. Health data businesses should not use it. Not in scope
For procurement

Have a vendor questionnaire?

SIG, CAIQ, or your own. We can answer the standard questions in advance and return your form filled within five business days.

Send a questionnaire