Home · Security & PCI
Terms of Service · Privacy Policy · Security & PCI · Accessibility
Security & PCI Posture
This page summarizes how Commonwell protects data and handles payment-card scope.
It is intended for prospective customers and security reviewers.
Payments and PCI DSS
- All card and bank-account data is collected and processed by a **PCI DSS
Level 1 certified payment processor**, using its hosted, tokenized flows.
- Commonwell never receives, transmits, or stores full card numbers (PAN),
CVV, or full bank account numbers. We store only payment-processor tokens and
limited non-sensitive metadata (card brand, last four digits, payout status).
- Because cardholder data never touches our servers, Commonwell's PCI scope is
limited to SAQ A (e-commerce, fully outsourced to a validated provider).
Infrastructure
- Runs entirely on a serverless edge platform (compute, database, object
storage, key-value, and queues). Data is encrypted in transit (TLS) and at
rest by the underlying platform.
- Tenant isolation: every record is scoped to a community id and enforced on
every query path; cross-tenant access is rejected.
Authentication & access
- Credentials are hashed with PBKDF2 and an optional server-side pepper.
Optional TOTP two-factor authentication with single-use recovery codes.
- Sessions are httpOnly cookies (signed JWT). API access uses scoped,
hashed-at-rest API keys. Optional SAML SSO for enterprise customers.
Operational security
- Structured error monitoring with alerting on critical failures.
- Audit logging of administrative and security-relevant actions.
- Automated backups: database point-in-time recovery (30 days).
Reporting a vulnerability
Email security@commonwell.app. We acknowledge reports promptly and ask for a
reasonable disclosure window. Please do not access data that isn't yours.
