Commonwell

Home · Security & PCI

Terms of Service · Privacy Policy · Security & PCI · Accessibility

Security & PCI Posture

This page summarizes how Commonwell protects data and handles payment-card scope.

It is intended for prospective customers and security reviewers.

Payments and PCI DSS

Level 1 certified payment processor**, using its hosted, tokenized flows.

CVV, or full bank account numbers. We store only payment-processor tokens and

limited non-sensitive metadata (card brand, last four digits, payout status).

limited to SAQ A (e-commerce, fully outsourced to a validated provider).

Infrastructure

storage, key-value, and queues). Data is encrypted in transit (TLS) and at

rest by the underlying platform.

every query path; cross-tenant access is rejected.

Authentication & access

Optional TOTP two-factor authentication with single-use recovery codes.

hashed-at-rest API keys. Optional SAML SSO for enterprise customers.

Operational security

Reporting a vulnerability

Email security@commonwell.app. We acknowledge reports promptly and ask for a

reasonable disclosure window. Please do not access data that isn't yours.