--- title: "Qualy's trust center" description: "See how we keep your payments, data, and operations secure. From infrastructure to people, everything at Qualy is built with trust in mind." lang: "en" url: https://qualyhq.com/trust --- ## Site navigation - [For schools](/international-education/for-schools.md) — For international education schools - [For agents](/international-education/for-education-agents.md) — For international education agents - [Explore](/training.md) — Watch videos on how to use Qualy - [About](/about.md) — Learn about Qualy's mission and values - [Pricing](/pricing) - [5-min demo](/demo.md) - [Login](https://dashboard.qualyhq.com) # Qualy's trust center > Safe, compliant, and transparent by design. ## Payments - **Segregated funds:** We keep customer funds in separate trust accounts. Your money never mixes with ours, nor other customers'. - **We don’t touch the money:** Payments flow through licensed partners. Qualy facilitates, but never holds or moves your funds directly. - **Licensed global partners:** We only work with regulated payment providers who are licensed in their jurisdictions. - **Fast disbursements:** As soon as funds clear, we disburse them to schools or agents. No unnecessary delays. Minimizing risk and impact in case of breach. - **Transparent payment flow:** Every payment has a full audit trail. You can track when it's paid, cleared, and disbursed. - **PCI DSS compliance:** Card data is handled only by PCI DSS-compliant providers. - **No card data storage:** We never store card details on our systems. All sensitive data is handled by our partners. - **Duplicate payment protection:** Every payment is protected against accidental duplicates. If a request is retried due to network issues, the system automatically detects it and prevents double-charging — so payers and institutions are always protected. - **Secure webhook architecture:** Payment notifications from gateways go through a secure, verified channel before reaching our systems. This prevents fake or tampered payment events from ever being processed. - **Chargeback protection:** We have systems in place to handle chargebacks and disputes efficiently, minimizing impact on schools and agents. - **Liability shift priority:** Whenever possible use 3D Secure and other measures to ensure liability for fraudulent transactions shifts to the card issuer, protecting our customers for any potential losses. ## Technology - **Google Cloud hosted:** We run on secure Google Cloud infrastructure with best-in-class uptime and security. - **Encryption at rest:** All data is encrypted at rest using AES-256 encryption. Banking data gets an additional layer of field-level encryption with unique keys for each customer — so even direct database access would not reveal sensitive financial details. - **Data in-transit protection, HSTS and TLS 1.2+:** We enforce HTTPS with HSTS and use end-to-end TLS 1.2+ for secure communications. - **SLSA Level 3:** Our build systems follow SLSA 3 standards, protecting against tampering and supply chain attacks. - **Database-per-tenant isolation:** Each customer gets their own dedicated database — not just row-level filtering, but complete physical separation. There is no shared data layer between tenants. - **Firewalls are always on:** We use multiple layers of firewalls to protect our infrastructure. - **24/7 monitoring:** Our infrastructure is monitored around the clock with distributed tracing, error reporting, and structured logging. Every request can be traced end-to-end, giving us full visibility to catch and resolve issues fast. - **DDoS protection:** We use Cloudflare for DDoS mitigation, traffic filtering, and advanced protections. All connections are validated through Cloudflare to prevent spoofing and ensure only legitimate traffic reaches our systems. - **Zero standing privileges (ZSP):** Our systems use ZSP, meaning no one has permanent access to production environments. Access is granted only when needed and logged. - **Strict DMARC policy:** We enforce a “reject” policy on DMARC to prevent spoofed emails from being delivered. - **DNSSEC enabled:** DNSSEC is enabled on our primary domains, ensuring DNS lookups are verified and tamper-resistant. - **Email delivery monitoring:** Outbound email reputation and delivery are continuously monitored to avoid issues with missing invoices or payment links. - **Email delivery isolation:** We isolate transactional email from marketing or internal communication to reduce reputational risk. - **Multi-layer rate limiting:** Three independent layers protect against brute force attacks and abuse — rate limiting across all endpoints, smart login blocking that escalates automatically, and account-level lockout powered by Firebase. Repeated attempts trigger increasingly longer blocks. - **Protection from malicious payload exploits:** All payloads are validated and sanitized to prevent exploits like XSS, NoSQL injection, and other common vulnerabilities. - **Subdomain isolation:** Our subdomains are isolated at the browser level, preventing cookie-setting from malicious subdomains and strengthening our security against cookie-tossing attacks. - **Security vendor validation:** Our domain is validated by major security vendors like Norton, McAfee, and Google Safe Browsing to ensure we're recognized as a trusted site. - **Per-tenant encryption keys:** Each customer's sensitive data is encrypted with its own unique key. Even in the unlikely event of a breach, one customer's data cannot be used to access another's. - **Field-level encryption on banking data:** Bank account numbers, routing numbers, IBAN, SWIFT, and other banking details are each individually encrypted — not just at the database level, but field by field. Even our own database administrators cannot read these values in plain text. - **Automatic PII redaction in logs:** Our logs are automatically scrubbed of sensitive data — passwords, tokens, bank account numbers, government IDs, and card details are removed before anything is stored. Your sensitive information never appears in system logs. - **Bot protection (Cloudflare Turnstile):** We use Cloudflare Turnstile to protect login pages and public forms from bots and automated attacks — without making real users solve annoying CAPTCHAs. - **Internal network protection:** Our systems are hardened against server-side request forgery (SSRF). Outbound requests to internal networks, cloud infrastructure, and private addresses are automatically blocked. - **Per-customer domain validation:** Each customer's allowed web domains are individually verified. We never allow blanket access — only your registered domains can communicate with your data. - **Token freshness for sensitive operations:** Changing bank account details or security settings requires a fresh login. If too much time has passed since your last sign-in, you'll need to re-authenticate — adding an extra layer of protection for your most sensitive actions. - **Startup security validation:** Our platform runs mandatory security checks every time it starts up. If anything critical is misconfigured — encryption, authentication, or bot protection — the system refuses to launch. An insecure version can never reach production. - **Distributed tracing (OpenTelemetry):** Every request is traced end-to-end across all our services. If something goes wrong, we can pinpoint exactly where and when — making debugging faster and security investigations more thorough. - **Structured error codes:** We use over 940 unique error codes so you and our support team always get clear, actionable messages when something goes wrong — while internal system details stay hidden. ## People - **Role-based access:** Our team members only see what they need to do their job. No broad access granted. - **Background checks:** All team members handling sensitive systems undergo background verification. - **Security training:** All staff complete regular security and compliance training sessions. - **Two-factor auth (2FA):** 2FA is required for all internal systems, and available for all users on the platform. - **Least privilege principle:** We follow the principle of least privilege, ensuring team members only have access to what they need. - **Support access controls:** When support agents need to access a customer account, sessions are time-limited, individually audited, and restricted to a specific set of permissions. Administrative and destructive actions are permanently blocked. Every session requires a documented reason. ## Compliance - **Operating only with licensed partners:** While Qualy is not a financial license holder, our partners are fully licensed and compliant. - **Local regulation aligned:** We adapt to each region's rules—like Brazilian BACEN rules or Australia's AML laws—through our partners and with our own controls. - **Audit-ready logs:** All payments and system actions are logged and time-stamped for audit-readiness. - **Customer Due Diligence (CDD):** We perform CDD on all customers to ensure compliance with local regulations. - **GDPR compliant:** We follow GDPR principles, ensuring data privacy and user rights are respected. - **Brazil-specific compliance:** We comply with Brazilian regulations, including the Lei Geral de Proteção de Dados (LGPD) and BACEN rules for payment handling. - **Australia-specific compliance:** We comply with Australian regulations, including the Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF) and the Privacy Act. Transactions are monitored and reported to AUSTRAC via our payment partners. - **Strong Customer Authentication compliance:** We comply with the SCA requirements, by implementing 2FA and other measures. - **DSAR (Data Subject Access Request) support:** You can request access to your personal data at any time, as required by GDPR and LGPD. When we export your data, sensitive fields like banking details are automatically protected before delivery. - **Documented lawful bases for processing:** We maintain a clear legal basis for every type of personal data we process — whether it's to fulfill a contract, with your consent, for legal obligations, or for legitimate business purposes — as required by GDPR. ## Operations - **Shared security responsibility model:** We share security responsibilities with you, our suppliers, and our partners ensuring a comprehensive approach to security. - **Disaster recovery ready:** We use queues, backups, and replication for fast recovery. If a retry happens during recovery, the system detects duplicates and prevents double-processing — so no one gets charged twice. - **Automated failover:** If something fails, systems switch to backups without user disruption. - **Reliable message queues:** All payments and processes are queued and retried safely in case of failures. - **Regular backups:** We take regular backups of all critical data, ensuring we can restore quickly if needed. - **Release freeze windows:** We have scheduled release freeze windows to minimize risk during critical periods. - **Error tracking & alerting:** We use advanced error tracking and alerting to catch issues before they affect users. - **Incident response plan:** We know whom to call, what to do, and how to communicate in case of incidents. Our incident response plan is ready and tested. ## Transparency - **Customer transparency:** We never hide who our upstream partners are—we believe transparency builds trust. - **Open communication:** We communicate openly about incidents, outages, and changes that affect customers. - **Public status page:** Our status page shows real-time system health, incidents, and maintenance updates. - **Clear pricing:** Our pricing is straightforward, with no hidden fees or surprises. - **Leave anytime:** We don’t lock you in with contracts. You can leave anytime, no questions asked. - **Security documentation available on request:** Need more detail? We provide a comprehensive security and compliance document to enterprise customers upon request. Contact our sales team. ## More on Qualy **Industries** - [For schools](/international-education/for-schools.md) — For intenrational education schools - [For agents](/international-education/for-education-agents.md) — For international education agents **Support** - [Training](/training.md) - [System status](https://qualyhq.statuspage.io/) — Qualy system status - [Product updates](https://changelog.qualyhq.com) — As we work on Qualy, here we spotlight what we’ve learned and updated across our products - [Contact](/contact-us.md) **Product** - [Demo](/demo.md) - [Enterprise](/enterprise.md) - [Testimonials](/testimonials.md) — Learn what some customers have to say about Qualy - [About](/about.md) — Learn about Qualy's mission and values - [Blog](/blog) — International education payments blog by Qualy - [Trust center](/trust.md) - [API](/api.md) — Qualy API for international education payments **Legal** - [General terms](/terms-and-conditions.md) - [Payer terms](/terms-for-payers.md) - [Privacy policy](/privacy-policy.md) - [BECS DDR](/becs-dd-service-agreement.md)