Shor handles payroll data, identity documents, and money movement, all of which make us an attractive target if we’re careless. Security is designed in, not bolted on. This page covers how we keep your data and funds safe.Documentation Index
Fetch the complete documentation index at: https://docs.shorpay.com/llms.txt
Use this file to discover all available pages before exploring further.
Data Security
Encryption in Transit
Every connection to Shor is encrypted with TLS 1.2 or higher. No data moves between your browser or bank and our servers in the clear.
Encryption at Rest
All stored data (contracts, identity documents, bank details) is encrypted at rest using industry-standard AES-256 encryption.
Secret Management
Sensitive values (API keys, signing secrets, database credentials) are held in a secrets manager with access tightly controlled and every access audited.
Tenant Isolation
Your data is isolated from every other customer. Queries, authentication, and access checks are scoped by your business, and cross-tenant reads are not possible.
Identity and Access
- Modern auth: sign in with email and password or via the sign-in options configured for your workspace
- Role-based access: admins and members have different permissions
- Activity tracking: significant actions (payroll approvals, funding changes, user invites) are recorded in our systems, with review available on request
- Session controls: idle session timeouts and the ability to sign out from your account settings
Infrastructure Security
- Hosted on modern cloud infrastructure with hardened defaults (private networking, managed secrets, automated patching)
- Production environments isolated from development and staging
- Changes to production require code review and pass automated security checks
- Security reviews on a regular cadence as we scale
Formal compliance certifications (SOC 2, ISO 27001) and third-party penetration testing are on our roadmap as we grow. If your procurement process needs specifics today, reach out to security@shorpay.com. We’re happy to share our current security posture in detail.
Payment Security
Money movement has additional layers:Role-Based Access
Only Admins can fund the account, run payments, or change billing. Members handle day-to-day work without touching the money controls.
Idempotency
Every payment request carries an idempotency key. You can’t accidentally pay someone twice, even if a browser retry happens.
Monitoring
Unusual activity (a sudden increase in volume, a payment to a new country, a change in funding source) triggers alerts for review.
Hard-Failure Handling
Failed payments don’t silently retry to a potentially wrong account. They pause and surface for your review with the specific error.
Regulatory Posture
Shor operates within the regulations of the countries we serve:- Money transmission licensing where required by jurisdiction
- KYB for every business on the platform
- KYC for every worker receiving payments
- AML / sanctions screening on every payment before it goes out
- Data residency options for customers in regions that require it
Incident Response
If we detect a security issue, we act fast:- Immediate containment (isolating affected systems)
- Customer notification if your data is involved
- Post-incident review, published to affected customers
- Preventive changes to ensure it doesn’t recur
What You Can Do
Security is a shared responsibility. Some things you can do to strengthen your own account:- Use a strong unique password with a password manager
- Give admins the minimum access they need: don’t make everyone an Admin
- Verify changes to bank details out-of-band before approving them (fraud attempts often target bank account updates)
- Review your team list quarterly and remove access for anyone who’s moved on
Next Steps
Data Privacy
What personal data Shor collects and how it’s handled.
KYC / KYB
How identity verification works on Shor.