Rayl
EN NL FR
Get Started

Security

How we keep things safe.

Last updated: 8 June 2026

Security is part of how we build, not a checkbox at the end. This page summarises the controls we operate today and how to report a vulnerability if you find one.

1. How we’re structured

Rayl Technologies BV builds the software behind Rayl Payments and Rayl Marketplace. We do not hold or move customer funds ourselves. All money movement is handled by licensed third-party Payment Service Providers (PSPs) we partner with, who carry the relevant authorisations under PSD2 and are supervised by their respective EU national competent authorities. That keeps Rayl out of unauthorised financial activity and keeps customer funds in the hands of regulated, audited providers.

2. Compliance posture

  • GDPR & UK GDPR — we treat personal data the same way regardless of jurisdiction: collect only what we need, store it for as short as we can, and give you rights over it. See our Privacy Policy.
  • PCI DSS — our PSP partners hold the in-scope PCI DSS attestation for cardholder data. Rayl’s own systems are designed to minimise PCI scope; we never store raw PANs and rely on the PSP’s tokenisation for any card reference.
  • PSD2 — payment services are provided through licensed PSPs. Rayl Technologies BV operates as a technical service provider, not a payment institution.
  • Data minimisation — we don’t collect extra information “just in case”. If we don’t need it to run the product or meet a legal obligation, we don’t ask for it.

3. Encryption

  • In transit — TLS 1.2+ everywhere, with HSTS on production domains.
  • At rest — managed encryption on all data stores we operate; cryptographic keys held in a managed KMS with restricted access.

4. Access control

  • Least-privilege role-based access for production systems.
  • Mandatory multi-factor authentication on every internal account that touches infrastructure or data.
  • Hardware-backed credentials for the highest-privilege roles.
  • Access is reviewed when people change roles or leave.

5. Application security

  • Peer review on every change before it lands in production.
  • Automated dependency scanning and patching on a regular cadence.
  • Static analysis and secret-scanning on every commit.
  • Production secrets stored only in a managed secret vault, never in source.

6. Infrastructure

  • Production runs in vetted EU cloud regions with isolated environments per project.
  • Network exposure is minimised; only the endpoints that need to be public are public.
  • Centralised logging with tamper-evident retention for security-relevant events. Every payment, order, and material system event is timestamped in Brussels time (CET / CEST) on our side of the system, so audit trails line up with the way our team operates.
  • Backups taken regularly and restore is tested.

7. Incident response

We maintain a documented incident-response process: detect, contain, eradicate, recover, learn. Personal-data breaches are assessed against GDPR Article 33/34 timelines, and where notifiable, we notify the relevant supervisory authority and affected users without undue delay.

8. Responsible disclosure

If you believe you’ve found a vulnerability in any Rayl system, please email security@rayl.be. We ask that you:

  • Give us reasonable time to investigate and remediate before any public disclosure.
  • Avoid privacy violations, destruction of data, or interruption of services during testing.
  • Only interact with accounts you own or have explicit permission to test.

We don’t currently run a paid bug-bounty programme, but we will acknowledge researchers who report valid issues in good faith and won’t pursue legal action against research conducted under these guidelines.

Note: until security@rayl.be is provisioned, use hello@rayl.be with the subject line “Security: …”.

9. Subprocessors

A current list of the third-party processors we use for hosting, email, and infrastructure will be maintained and made available on request.

10. Status page

Real-time service status, ongoing incidents, and scheduled maintenance windows are published at status.rayl.be. Subscribing there gets you email or webhook notifications when something changes.

11. Contact

Security questions or vulnerability reports: security@rayl.be.