Security

UnitPay implements industry-standard security controls aligned with ISO/IEC 27001:2022 control objectives. The summary below describes our controls. The full statement is in our Security Policy.

Hosting and data residency

All UnitPay services and data are hosted in Indonesia. Our infrastructure provider holds ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, and SOC 3 attestations. These certifications are inherited as part of the provider's shared-responsibility model. UnitPay holds an active PCI DSS attestation; ISO 27001 and SOC 2 controls at the platform level are inherited from our infrastructure provider.

PCI DSS attestation (Compliance Control) · AWS Indonesia Compliance Center

Access control

Production access is restricted to named operators with role-based permissions and mandatory two-factor authentication. Privilege levels follow the principle of least privilege. Console access is logged and reviewed monthly.

Encryption

All data in transit is encrypted with TLS 1.2 or higher. All data at rest is encrypted using AES-256 with customer-managed keys stored in Indonesia. Key rotation is performed annually and on key-compromise events.

Vendor management

UnitPay relies on the following vendors. Each is bound by a written data-processing agreement and subject to periodic vendor risk review:

  • Didit — AML and sanctions screening
  • Didit — director KYC and biometric liveness
  • Amazon Web Services (Asia Pacific - Jakarta) — hosting and data residency
  • Iubenda — cookie consent management

Incident response

UnitPay maintains a Computer Incident Response Team (CIRT) aligned with BSSN Regulation 1/2024. Personal-data breaches are reported to affected data subjects and to the Personal Data Protection Authority within 3 x 24 hours of confirmation, as required by UU PDP Article 46. Security issues can be reported to security@unitpay.net.

Audit logging

All production access and data-modification events are logged to an immutable, tamper-evident audit store in compliance mode. Retention is 7 years to meet financial-services audit requirements.

Data Protection Officer

Our Data Protection Officer is the designated point of contact for UU PDP and GDPR matters. For data subject rights (access, rectification, erasure, portability), contact:

dpo@unitpay.netUU PDP Personal Data Notice

Network-layer controls

In addition to the controls described above, the following HTTP response headers are deployed at the production CDN edge: Strict-Transport-Security (HSTS), X-Frame-Options DENY, Permissions-Policy (camera, microphone, and geolocation disabled by default), and the standard Content-Security-Policy. Identifying response headers (Server, X-Powered-By) are stripped at the edge. The static landing already enforces a strict Content-Security-Policy and Referrer-Policy via meta tags.