Safe, compliant, and transparent by design.
We keep customer funds in separate trust accounts. Your money never mixes with ours, nor other customers'.
Payments flow through licensed partners. Qualy facilitates, but never holds or moves your funds directly.
We only work with regulated payment providers who are licensed in their jurisdictions.
As soon as funds clear, we disburse them to schools or agents. No unnecessary delays. Minimizing risk and impact in case of breach.
Every payment has a full audit trail. You can track when it's paid, cleared, and disbursed.
Card data is handled only by PCI DSS-compliant providers.
We never store card details on our systems. All sensitive data is handled by our partners.
Every payment is protected against accidental duplicates. If a request is retried due to network issues, the system automatically detects it and prevents double-charging — so payers and institutions are always protected.
Payment notifications from gateways go through a secure, verified channel before reaching our systems. This prevents fake or tampered payment events from ever being processed.
We have systems in place to handle chargebacks and disputes efficiently, minimizing impact on schools and agents.
Whenever possible use 3D Secure and other measures to ensure liability for fraudulent transactions shifts to the card issuer, protecting our customers for any potential losses.
We run on secure Google Cloud infrastructure with best-in-class uptime and security.
All data is encrypted at rest using AES-256 encryption. Banking data gets an additional layer of field-level encryption with unique keys for each customer — so even direct database access would not reveal sensitive financial details.
We enforce HTTPS with HSTS and use end-to-end TLS 1.2+ for secure communications.
Our build systems follow SLSA 3 standards, protecting against tampering and supply chain attacks.
Each customer gets their own dedicated database — not just row-level filtering, but complete physical separation. There is no shared data layer between tenants.
We use multiple layers of firewalls to protect our infrastructure.
Our infrastructure is monitored around the clock with distributed tracing, error reporting, and structured logging. Every request can be traced end-to-end, giving us full visibility to catch and resolve issues fast.
We use Cloudflare for DDoS mitigation, traffic filtering, and advanced protections. All connections are validated through Cloudflare to prevent spoofing and ensure only legitimate traffic reaches our systems.
Our systems use ZSP, meaning no one has permanent access to production environments. Access is granted only when needed and logged.
We enforce a “reject” policy on DMARC to prevent spoofed emails from being delivered.
DNSSEC is enabled on our primary domains, ensuring DNS lookups are verified and tamper-resistant.
Outbound email reputation and delivery are continuously monitored to avoid issues with missing invoices or payment links.
We isolate transactional email from marketing or internal communication to reduce reputational risk.
Three independent layers protect against brute force attacks and abuse — rate limiting across all endpoints, smart login blocking that escalates automatically, and account-level lockout powered by Firebase. Repeated attempts trigger increasingly longer blocks.
All payloads are validated and sanitized to prevent exploits like XSS, NoSQL injection, and other common vulnerabilities.
Our subdomains are isolated at the browser level, preventing cookie-setting from malicious subdomains and strengthening our security against cookie-tossing attacks.
Our domain is validated by major security vendors like Norton, McAfee, and Google Safe Browsing to ensure we're recognized as a trusted site.
Each customer's sensitive data is encrypted with its own unique key. Even in the unlikely event of a breach, one customer's data cannot be used to access another's.
Bank account numbers, routing numbers, IBAN, SWIFT, and other banking details are each individually encrypted — not just at the database level, but field by field. Even our own database administrators cannot read these values in plain text.
Our logs are automatically scrubbed of sensitive data — passwords, tokens, bank account numbers, government IDs, and card details are removed before anything is stored. Your sensitive information never appears in system logs.
We use Cloudflare Turnstile to protect login pages and public forms from bots and automated attacks — without making real users solve annoying CAPTCHAs.
Our systems are hardened against server-side request forgery (SSRF). Outbound requests to internal networks, cloud infrastructure, and private addresses are automatically blocked.
Each customer's allowed web domains are individually verified. We never allow blanket access — only your registered domains can communicate with your data.
Changing bank account details or security settings requires a fresh login. If too much time has passed since your last sign-in, you'll need to re-authenticate — adding an extra layer of protection for your most sensitive actions.
Our platform runs mandatory security checks every time it starts up. If anything critical is misconfigured — encryption, authentication, or bot protection — the system refuses to launch. An insecure version can never reach production.
Every request is traced end-to-end across all our services. If something goes wrong, we can pinpoint exactly where and when — making debugging faster and security investigations more thorough.
We use over 940 unique error codes so you and our support team always get clear, actionable messages when something goes wrong — while internal system details stay hidden.
Our team members only see what they need to do their job. No broad access granted.
All team members handling sensitive systems undergo background verification.
All staff complete regular security and compliance training sessions.
2FA is required for all internal systems, and available for all users on the platform.
We follow the principle of least privilege, ensuring team members only have access to what they need.
When support agents need to access a customer account, sessions are time-limited, individually audited, and restricted to a specific set of permissions. Administrative and destructive actions are permanently blocked. Every session requires a documented reason.
While Qualy is not a financial license holder, our partners are fully licensed and compliant.
We adapt to each region's rules—like Brazilian BACEN rules or Australia's AML laws—through our partners and with our own controls.
All payments and system actions are logged and time-stamped for audit-readiness.
We perform CDD on all customers to ensure compliance with local regulations.
We follow GDPR principles, ensuring data privacy and user rights are respected.
We comply with Brazilian regulations, including the Lei Geral de Proteção de Dados (LGPD) and BACEN rules for payment handling.
We comply with Australian regulations, including the Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF) and the Privacy Act. Transactions are monitored and reported to AUSTRAC via our payment partners.
We comply with the SCA requirements, by implementing 2FA and other measures.
You can request access to your personal data at any time, as required by GDPR and LGPD. When we export your data, sensitive fields like banking details are automatically protected before delivery.
We maintain a clear legal basis for every type of personal data we process — whether it's to fulfill a contract, with your consent, for legal obligations, or for legitimate business purposes — as required by GDPR.
We share security responsibilities with you, our suppliers, and our partners ensuring a comprehensive approach to security.
We use queues, backups, and replication for fast recovery. If a retry happens during recovery, the system detects duplicates and prevents double-processing — so no one gets charged twice.
If something fails, systems switch to backups without user disruption.
All payments and processes are queued and retried safely in case of failures.
We take regular backups of all critical data, ensuring we can restore quickly if needed.
We have scheduled release freeze windows to minimize risk during critical periods.
We use advanced error tracking and alerting to catch issues before they affect users.
We know whom to call, what to do, and how to communicate in case of incidents. Our incident response plan is ready and tested.
We never hide who our upstream partners are—we believe transparency builds trust.
We communicate openly about incidents, outages, and changes that affect customers.
Our status page shows real-time system health, incidents, and maintenance updates.
Our pricing is straightforward, with no hidden fees or surprises.
We don’t lock you in with contracts. You can leave anytime, no questions asked.
Need more detail? We provide a comprehensive security and compliance document to enterprise customers upon request. Contact our sales team.
Qualy was designed for collecting payments for the international education industry. It helps colleges, schools, and education agents of all sizes.
