Security – Littlepay



At Littlepay, security is a big part of who we are, and it is a cornerstone in our culture. Maintaining a secure company, product, and infrastructure is fundamental to our mission, and we have summarised our security practices for you to stay informed about our procedures.

Security Governance and Risk Management

We have a dedicated team of security professionals that works to identify and mitigate risks and to ensure that our security controls are effective and that our security program conforms to industry best practice.

Frameworks, Standards and Regulations

As Littlepay is a global industry leader in payments, we are proud to be compliant with the practices that secure our platform. We are compliant with the following and are working hard to extend this list.

  • CIS
  • GDPR
  • PCI DSS Level 1

Secure Data Centres

Our platform is hosted by a Tier 1 cloud provider, trusted by leading companies across the globe. As a leader in the industry, our hosting provider is relied on by over a million active customers and is at the forefront of security best practices.

This provider is compliant with:

  • ISO 27001
  • DoD SRG
  • GDPR
  • IRAP
  • SOC 1, SOC 2 & SOC 3
  • PCI DSS Level 1

Data Encryption

Data is encrypted at rest and in transit as per PCI requirements.

Security training program

To ensure that security is an integral foundation of our platform, we conduct regular employee cybersecurity training that covers a wide range of topics to keep our staff apprised of existing and emerging threats, and their individual roles in our shared responsibility to security. Additionally, to keep our platform even more secure, all our developers undergo annual secure code training and have dedicated time to learn and practice on secure code training.

Access management

All employees’ access permissions are reviewed regularly to ensure only minimum required privileges are granted, inline with the best practice approach of least privilege. All end devices run on centrally controlled endpoint-management software that enforces security configurations and protection solutions.

Incident response

Littlepay takes the trust our customers have in our platform very seriously, and has developed a suite of measures to respond to any incident that imperils our service delivery or the security of our customers’ data. We test our incident response plan, and have formal mechanisms for revision and improvement of this and other components of our incident response armoury.

Vulnerability Management

To safeguard the security of our platform, we have systems that continuously monitor and detect vulnerabilities in our supply chain. These are proactively addressed in line with our internal policies to ensure that our platform meets the high standards that are necessary to protect our customers’ data and privacy.

A third party is engaged annually to conduct an external network penetration test.

DDoS Monitoring & Protection

Littlepay employs a variety of technical controls in addition to undergoing real-time monitoring to protect our platform against DDoS attacks.

Uptime & Processor Load Monitoring

We use third-party security products to monitor server uptime and processor loads to identify any unusual activity, and couple this with proactive management by pertinent teams to ensure that platform availability is optimal.

Deletion and return of Customer Data

We comply with jurisdictional obligations around customer data in the various parts of the world that we operate in. Please refer to our privacy policy for further information about any queries in relation to this.

Security Vulnerability Reporting Policy

Littlepay has security expertise through a dedicated internal team and domain expert consultants.

We do not accept unsolicited security reports. If this situation changes in the future, we will update this page.

 We currently DO NOT have a bug bounty program in place

If you have any additional questions, we would be happy to answer them — please contact us at