Security measures built around how the product actually works.

• Authentication controls for merchant accounts, including email verification and optional two-factor authentication.
• Encrypted handling of sensitive provider credentials and secrets used by the platform.
• Separation between merchant projects and environments to reduce the chance of cross-project data leakage.
• Operational logging for checkout sessions, payments, webhooks, and dashboard activity to support troubleshooting and investigations.

PayBridge does not rely solely on client-side redirects or browser-visible state to mark a payment as successful. Payment status is based on provider callback and verification flows, then surfaced to merchants through the dashboard, APIs, and signed webhooks.

• Webhook delivery includes signing so merchants can validate that events came from PayBridge.
• Retry and delivery logging help merchants see whether a webhook was accepted, failed, or needs attention.
• Public payment tracking is intentionally limited to payment-status lookup rather than broad account access.

Security is shared. Merchants are responsible for protecting their own dashboard accounts, API keys, webhook endpoints, return URLs, and internal systems that consume PayBridge events.

• Use strong passwords and enable two-factor authentication for operational accounts.
• Rotate API keys or webhook secrets if you suspect exposure.
• Verify webhook signatures before updating order state on your side.
• Keep your integration endpoints, servers, and admin tooling patched and access-controlled.

If you believe you have found a vulnerability, exposed credential, or account compromise, contact support@paybridgenp.com as soon as possible. Include a clear description of the issue, affected URL or project, steps to reproduce, and any relevant request IDs or screenshots.

Please avoid public disclosure before we have had a reasonable chance to investigate and remediate the issue. Good-faith reports are appreciated.