Security at Cardidol
We treat security as a first-class product surface, not an afterthought. Below is a high-level summary; a full security whitepaper is available on request.
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Secrets are stored in a hardened key management system; keys are rotated on a regular schedule.
Authentication
Passwords are hashed using bcrypt with a strong work factor. Sessions are bound to secure, HTTPOnly, SameSite cookies. Two-factor authentication (TOTP) will be required for all accounts once real issuing is enabled.
Access controls
Role-based access on the admin panel. Every privileged action — KYC decisions, card approvals, provider configuration — is written to an append-only audit trail.
PCI alignment
Cardidol is architected so that PAN-equivalent data never touches our primary database. When a licensed issuing partner is connected, sensitive card material is tokenized and held by the provider, keeping our PCI scope minimal.
Responsible disclosure
Report vulnerabilities to security@cardidol.com. We acknowledge within one business day and do not pursue legal action against good-faith researchers.