Skip to main content
← Back to home

Security

Last updated: April 1, 2026

Effective date: April 1, 2026

Introduction

TensorRail is a technology orchestration platform. We never hold, store, or transmit payment funds. Our role is to securely route payment instructions between merchants and their processors. This page describes how we protect your data and your processor credentials.

Card Data Architecture

TensorRail uses processor-direct tokenization — card data is captured directly by processor-hosted secure fields within the customer's browser. Card numbers, CVVs, and expiry dates are transmitted directly from the customer to the processor. They never pass through TensorRail's servers or infrastructure.

This architecture means TensorRail operates under the lightest PCI compliance scope. We are SAQ-A eligible — we do not process, store, or transmit cardholder data. Our PCI architecture is documented in our PCI Scope & Data Security Pack, available on request.

How We Handle Processor Credentials

Your processor API keys and credentials are encrypted at rest using AES-256. They are stored in isolated, access-controlled environments and are never shared between merchants or with third parties. We use them exclusively to execute payment operations on your behalf. You can rotate or revoke credentials at any time via the dashboard or API. When you terminate your account, we delete your stored credentials within 30 days.

Data Protection

All API communication is encrypted with TLS 1.2 or higher. We maintain audit logs of administrative and payment-related operations. Role-based access control (RBAC) is applied across the platform so that only authorized users can access sensitive functions. All endpoints are protected with rate limiting and brute-force protection.

Infrastructure Security

Our systems are hosted on European infrastructure with strict access and network controls. We perform automated backups with tested restore procedures. We use DDoS protection and a web application firewall, and conduct regular security reviews to identify and address risks.

What We Don't Touch

Payment card data (numbers, CVVs, expiry dates) is captured directly by processor secure fields in the customer's browser — TensorRail never sees this data. End-customer personal data is handled by processors. Transaction metadata (IDs, amounts, currencies, status codes) is all we process. All fund movement happens directly between merchants, processors, and payout partners.

Responsible Disclosure

We take security seriously. If you discover a vulnerability in our platform, please report it responsibly.

How to Report

  • Email: security@tensorrail.com
  • Include: description of the vulnerability, steps to reproduce, and potential impact
  • We will acknowledge receipt within 48 hours
  • We will provide an initial assessment within 5 business days

Rules

  • Do not access or modify other users' data
  • Do not perform denial-of-service attacks
  • Do not publicly disclose the vulnerability before we've had a chance to fix it
  • Act in good faith

Recognition

We appreciate security researchers who help us keep our platform safe. We will acknowledge your contribution (with your permission) once the vulnerability is resolved.

Contact

For security-related questions or to report a vulnerability: security@tensorrail.com.