>Security at Bias

A secure foundation

As a payments fintech company serving developers, we understand that your trust depends on our ability to protect sensitive financial data and maintain the highest security standards. We’ve architected our platform with security-first principles, implementing multiple layers of protection to keep your financial data safe.

Encryption & data protection

Every piece of data that flows through Bias is encrypted:

  • E2E Encryption: TLS 1.3 for all API communications with certificate pinning and HSTS headers
  • Data at Rest: AES-256 encryption with regularly rotated keys and transparent database encryption
  • Field-Level Encryption: Additional protection for the most sensitive payment information
  • Secure Data Handling: Follows all best practices for data minimization, anonymization where possible, and cryptographic erasure for secure deletion

PCI DSS complianet service provider

Bias maintains a PCI DSS Service Provider certification. We follow all payment card industry security standards:

  • Annual self-assessment questionnaires (SAQ) and network security scans
  • Compliance across all six PCI DSS requirement categories
  • Regular vulnerability assessments and security reviews
  • Quarterly network security scans by approved scanning vendors (ASV)

Developer security tools

Purpose-built security features for developers:

  • API Key Management: Environment-specific keys with easy rotation
  • Built-in Protection: Rate limiting, security headers, and comprehensive security documentation
  • Integration Support: Best practices guides and security-focused developer resources

Security disclosure program

We work with the security community through responsible disclosure to keep our platform secure.

Reporting security issues

Email: info@biaspay.com

Please include:

  • Detailed vulnerability description and potential impact
  • Step-by-step reproduction instructions
  • Proof-of-concept code or screenshots (if applicable)
  • Your contact information

Response commitment

  • 24-hour acknowledgment of all reports
  • Transparent communication throughout investigation
  • Public recognition (with your permission)
  • No legal action against researchers following responsible disclosure

Resolution timeline

  • Critical Issues: 72 hours
  • High Severity: 7 days
  • Medium/Low Severity: 30 days

Program scope

In Scope: Bias web applications, APIs, developer dashboard, mobile applications, and Bias-owned domains

Out of Scope: Third-party integrations, social engineering, physical attacks, and external applications

Continuous security investment

We maintain our security leadership through ongoing investment in team training, emerging technologies, industry participation, and community collaboration.

Last updated: June 2025