Trust & Safety
Security is structural, not an add-on. Every layer of Swiftz is designed so that a breach of our systems cannot compromise your funds or your customers' data.
Core security principle
Swiftz is non-custodial. We never hold your funds, never store private keys, and never have access to your wallets. The worst-case scenario of a Swiftz breach is exposure of email addresses and transaction metadata — not loss of funds.
Swiftz never holds your funds. Payments route directly from customer to your wallet. We have no ability to freeze, reverse, or access your money.
API keys are stored as SHA-256 hashes. The plaintext is shown once at creation and never stored. A compromised database cannot expose your keys.
Every webhook event is signed with HMAC SHA-256 using your unique secret. Verify signatures with crypto.timingSafeEqual to prevent timing attacks.
All confirmed payments are SHA-256 chained into a public append-only ledger. Anyone can verify any transaction independently.
Automated fraud scoring on all transactions. Rate limiting, IP analysis, and anomaly detection protect your account from abuse.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Access to production systems requires MFA.
If you discover a security vulnerability in Swiftz, please report it responsibly. We take all reports seriously and will respond within 48 hours.
Do not publicly disclose vulnerabilities before we have had a chance to address them. Do not access or modify data that does not belong to you.
security@swiftz.us© 2026 Swiftz