Legal
Payment Security & PCI Compliance
Last updated: February 2026
1. Our Security Commitment
At Movement Atlas, security is foundational to everything we build. We handle sensitive data including payment information, personal profiles, and business records for movement-based businesses, instructors, and learners across the globe. We are committed to maintaining the highest standards of security to protect our users and their data.
This document outlines our security practices, compliance measures, and responsible disclosure policy. We believe in transparency about our security posture and welcome collaboration with the security research community.
2. PCI DSS 4.0 Compliance
Movement Atlas adheres to the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requirements to ensure the secure handling of payment card data. Our compliance measures include:
- Scope Minimisation: We minimise our PCI scope by delegating all card data handling to PCI-certified payment processors (PayPal and Razorpay). Movement Atlas never receives, processes, stores, or transmits full cardholder data.
- Tokenisation: All payment references stored on our platform use tokens provided by our payment processors. These tokens cannot be used to reconstruct the original card number.
- Secure Payment Pages: Payment forms are rendered directly by our payment processors' secure iframes or redirect flows, ensuring card data never touches our servers.
- Regular Assessment: We conduct periodic self-assessments using the PCI DSS SAQ-A questionnaire appropriate for our integration model, and work with our payment processors to ensure ongoing compliance.
- Vendor Compliance: Both PayPal and Razorpay maintain PCI DSS Level 1 certification, the highest level of compliance. We regularly verify our payment processors' compliance status.
3. Payment Security
We Never Store Full Card Data
Movement Atlas never stores, processes, or has access to your full credit card number, CVV/CVC, PIN, or magnetic stripe data. All payment processing is handled entirely by our PCI DSS Level 1 certified partners, PayPal and Razorpay.
- Tokenised Storage: We store only tokenised payment references and masked card identifiers (e.g., last four digits) for display and record-keeping purposes.
- Encrypted Transmission: All payment data is transmitted over TLS 1.3 encrypted connections. No payment information is ever sent in plaintext.
- 3D Secure: Where supported by the card issuer, we implement 3D Secure (3DS2) authentication for an additional layer of cardholder verification.
- Fraud Detection: Our payment processors employ advanced fraud detection systems, including velocity checks, geolocation analysis, and machine learning models to identify suspicious transactions.
- Secure Webhooks: Payment processor webhooks are verified using cryptographic signatures to prevent tampering and replay attacks.
4. Infrastructure Security
Our infrastructure is designed with security at every layer:
- TLS 1.3: All connections to Movement Atlas are encrypted using TLS 1.3, the latest version of the Transport Layer Security protocol. Older, insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) are disabled.
- HTTP Strict Transport Security (HSTS): HSTS headers are enforced with a minimum max-age of one year, including subdomains, preventing protocol downgrade attacks and cookie hijacking.
- Content Security Policy (CSP): Strict CSP headers are configured to prevent cross-site scripting (XSS) attacks by controlling which resources can be loaded and executed.
- Web Application Firewall (WAF): AWS WAF protects our application from common web exploits including SQL injection, cross-site scripting, and known attack patterns using managed rule sets.
- CDN Security: Amazon CloudFront CDN provides edge-level DDoS protection, geographic restriction capabilities, and signed URL support for sensitive assets.
- Security Headers: We implement comprehensive security headers via Helmet.js, including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
5. AWS Compliance Certifications
Movement Atlas is built on Amazon Web Services (AWS), which maintains an extensive portfolio of globally recognised compliance certifications and attestations. By leveraging AWS infrastructure, our platform benefits from the security controls validated through these certifications. The following AWS certifications are relevant to the services used by our platform. Specific service coverage and regional availability may vary; refer to the AWS Services in Scope page for details.
5.1 Global Certifications and Attestations
- ISO/IEC 27001:2022: Information security management system certification, ensuring systematic management of sensitive data including financial, intellectual property, and personal information.
- ISO/IEC 27017:2015: Cloud-specific security controls, providing guidance on the information security aspects of cloud computing.
- ISO/IEC 27018:2019: Protection of personally identifiable information (PII) in public cloud environments, directly relevant to our handling of user data.
- ISO/IEC 27701:2019: Privacy information management extending ISO 27001 to cover GDPR and other privacy requirements.
- ISO 42001: Artificial Intelligence Management System (AIMS) certification, relevant to our use of AI-powered features including OpenAI integrations for class recommendations and content generation.
- ISO 20000-1:2018: IT Service Management certification, ensuring reliable and consistent delivery of IT services supporting our platform operations.
- SOC 1 / SOC 2 / SOC 3: Service Organisation Controls reports providing detailed assurance on AWS security, availability, processing integrity, confidentiality, and privacy controls. SOC 2 Privacy Type I is also available.
- PCI DSS Level 1: The highest level of Payment Card Industry Data Security Standard compliance, ensuring secure handling of payment card data across the infrastructure.
- PCI 3DS: 3-D Secure certification for additional cardholder verification during online transactions, relevant to our payment processing flows.
- CSA STAR CCM v4.0: Cloud Security Alliance Security, Trust, Assurance, and Risk registry certification for cloud security best practices.
- ISO 9001:2015: Quality management systems certification, ensuring consistent service delivery and continuous improvement.
- ISO 22301:2019: Business continuity management system certification, ensuring resilience and disaster recovery capabilities.
- ISO 14001: Environmental management system certification, demonstrating AWS commitment to sustainable operations across its global data centre infrastructure.
- ISO 50001: Energy management system certification for efficient energy use in data centre operations.
- FIPS 140-3: Federal Information Processing Standard for cryptographic module validation, ensuring that encryption operations meet US and Canadian government security requirements.
- GxP: Good Practice compliance for life sciences, relevant to movement-based businesses operating in health and wellness contexts.
- ProcessUnity: AWS is assessed on the ProcessUnity third-party risk management platform for vendor security evaluations.
5.2 Regional Compliance
- India MeitY: AWS has been empanelled by the Ministry of Electronics and Information Technology (MeitY), Government of India, for cloud services across government and regulated sectors.
- HIPAA / HITECH: AWS supports HIPAA and HITECH compliance for healthcare-related data through Business Associate Addendums, relevant to movement-based businesses operating in therapeutic, rehabilitation, or wellness contexts.
- HITRUST CSF: Health Information Trust Alliance Common Security Framework certification, providing a comprehensive approach to healthcare data security beyond HIPAA.
- GDPR: AWS offers a GDPR-compliant Data Processing Addendum (DPA) and supports the EU Standard Contractual Clauses (SCCs) for cross-border data transfers.
- CCPA: AWS services support compliance with the California Consumer Privacy Act for handling data of California residents.
- FedRAMP: Federal Risk and Authorisation Management Programme for US government cloud security authorisation.
- CMMC: Cybersecurity Maturity Model Certification for US Department of Defence supply chain security.
- C5 (Germany): Cloud Computing Compliance Controls Catalogue for German government and enterprise cloud requirements.
- ENS High (Spain): Spanish National Security Scheme high-level certification.
- IRAP (Australia): Information Security Registered Assessors Programme for Australian government cloud security.
- ISMAP (Japan): Information System Security Management and Assessment Programme for Japanese government cloud services.
- K-ISMS (Korea): Korean Information Security Management System certification.
- MTCS (Singapore): Multi-Tier Cloud Security Standard for Singapore government and enterprise cloud requirements.
- UK Cyber Essentials Plus: UK government-backed certification for cyber security best practices.
- CISPE: Cloud Infrastructure Services Providers in Europe code of conduct for GDPR-compliant cloud services.
5.3 Security Frameworks and Alignments
- NIST 800-53: AWS aligns with the National Institute of Standards and Technology Special Publication 800-53 security and privacy controls framework.
- NIST 800-171: Protection of Controlled Unclassified Information (CUI) in non-federal systems, ensuring data handling practices meet federal security requirements.
- NIST 800-172: Enhanced security requirements for critical programmes and high-value assets.
- NIST Cybersecurity Framework (CSF): AWS services are mapped to the NIST CSF, providing a structured approach to managing cybersecurity risk across Identify, Protect, Detect, Respond, and Recover functions.
- CIS Benchmarks: AWS infrastructure follows Center for Internet Security (CIS) hardening benchmarks for secure configuration of cloud resources.
As of 2025, AWS participates in over 140 security standards and compliance programmes across global, regional, and industry-specific domains. Compliance reports are independently audited by third-party assessors and available through AWS Artifact.
For the complete and up-to-date list of AWS compliance certifications, attestations, and alignment frameworks, visit the AWS Compliance Programs page. AWS compliance reports are available through AWS Artifact.
6. Authentication Security
- Firebase Authentication: User authentication is managed through Firebase Authentication, providing enterprise-grade identity management with support for email/password, Google, Facebook, Apple, Twitter/X, GitHub, Microsoft, and Yahoo sign-in methods.
- Multi-Factor Authentication (MFA): Users can enable MFA for an additional layer of account protection. We support SMS-based and authenticator app-based second factors through Firebase.
- Password Hashing: All passwords are hashed using bcrypt with a cost factor of 12, making brute-force attacks computationally infeasible. Plaintext passwords are never stored or logged.
- JWT Token Management: Session management uses JSON Web Tokens (JWTs) with short expiration periods, secure HttpOnly cookies, and automatic token rotation. Tokens are cryptographically signed and validated on every request.
- Session Security: Sessions are invalidated on password change, account deletion, or when suspicious activity is detected. Concurrent session limits are enforced per account.
- Account Lockout: Progressive delays and temporary account lockouts are applied after repeated failed authentication attempts to prevent credential stuffing and brute-force attacks.
7. Data Encryption
- Encryption in Transit: All data transmitted between clients and our servers, and between our servers and third-party services, is encrypted using TLS 1.3. Certificate pinning is implemented for critical API connections.
- Encryption at Rest: All data stored in our PostgreSQL database (Neon) is encrypted at rest using AES-256 encryption. Database backups are also encrypted.
- Key Management: Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation. Access to encryption keys is restricted to authorised services and personnel.
- Sensitive Field Encryption: Particularly sensitive data fields undergo additional application-level encryption before being stored in the database.
8. Access Controls
- Role-Based Access Control (RBAC): The platform implements granular role-based access with three primary roles: Business, Instructor, and Student. Each role has carefully defined permissions that limit access to only the data and functionality required for that role.
- Principle of Least Privilege: All system access — from user accounts to infrastructure services — follows the principle of least privilege. AWS IAM policies are configured to grant the minimum permissions required for each service and function.
- Administrative Access: Administrative access to production systems is restricted to a minimal set of authorised personnel. All administrative actions are logged and subject to audit review.
- API Authentication: All API endpoints require valid authentication tokens. Unauthenticated requests are rejected with appropriate HTTP status codes.
- Data Isolation: Multi-tenant data isolation ensures that businesses, instructors, and students can only access data they are authorised to view. Cross-tenant data access is prevented at the application and database layers.
9. Security Monitoring and Incident Response
We maintain continuous security monitoring and a structured incident response process:
- Real-Time Monitoring: Automated monitoring systems track application performance, error rates, and security events in real time. Alerts are configured for anomalous activity patterns.
- Audit Logging: All access to personal data, administrative actions, authentication events, and security-relevant operations are recorded in tamper-resistant audit logs.
- Incident Classification: Security incidents are classified by severity (Critical, High, Medium, Low) with defined response times and escalation procedures for each level.
- Response Team: A dedicated incident response team is on call to investigate and remediate security incidents. Critical incidents are addressed within 1 hour of detection.
- Post-Incident Review: All security incidents undergo a post-incident review to identify root causes and implement preventive measures. Findings are documented and tracked to completion.
- Breach Notification: In the event of a data breach, we follow the notification procedures outlined in our Data Processing Agreement, including 72-hour notification to supervisory authorities where required by GDPR.
10. Rate Limiting and DDoS Protection
- API Rate Limiting: All API endpoints are rate-limited to prevent abuse and ensure fair usage. Rate limits are applied per-user, per-IP, and per-endpoint, with different thresholds for authenticated and unauthenticated requests.
- Authentication Rate Limiting: Login and registration endpoints have stricter rate limits to prevent credential stuffing and brute-force attacks. Progressive delays are applied after repeated failures.
- DDoS Mitigation: Amazon CloudFront and AWS Shield provide multi-layer DDoS protection, absorbing volumetric attacks at the network edge before they reach our application servers.
- Bot Protection: Automated bot detection identifies and blocks malicious automated traffic while allowing legitimate users and search engine crawlers to access the platform.
- Request Size Limits: Request body size limits are enforced to prevent resource exhaustion attacks through oversized payloads.
11. Input Sanitisation and Injection Prevention
- Cross-Site Scripting (XSS) Prevention: All user-supplied input is sanitised and escaped before rendering. Content Security Policy headers provide an additional defence layer against XSS attacks. We use context-aware output encoding for HTML, JavaScript, URL, and CSS contexts.
- SQL Injection Prevention: All database queries use parameterised queries through our ORM (Drizzle). Raw SQL is never constructed from user input. Database permissions are configured to prevent destructive operations from application-level accounts.
- HTTP Parameter Pollution: Request parsing middleware prevents HTTP parameter pollution attacks by normalising and validating query parameters and request bodies.
- File Upload Validation: Uploaded files are validated for type, size, and content. File names are sanitised and files are stored with randomised names to prevent path traversal attacks.
- Schema Validation: All incoming API requests are validated against strict Zod schemas that enforce data types, formats, ranges, and required fields before processing.
12. Regular Security Audits
We conduct regular security assessments to identify and address vulnerabilities:
- Dependency Scanning: Automated scanning of all third-party dependencies for known vulnerabilities, with alerts configured for critical and high-severity issues. Dependencies are updated promptly when security patches are available.
- Code Review: All code changes undergo security-focused review before deployment. Critical security-related changes require review from senior team members.
- Infrastructure Review: Regular review of cloud infrastructure configurations (AWS, Firebase) to ensure security best practices are maintained, including IAM policies, network configurations, and encryption settings.
- Penetration Testing: Periodic penetration testing is conducted to identify vulnerabilities that automated tools may miss. Findings are prioritised and remediated based on severity.
- Compliance Monitoring: Ongoing monitoring of compliance with PCI DSS, GDPR, DPDP Act, and other applicable security and privacy regulations.
13. Responsible Disclosure Policy
We value the work of security researchers and encourage responsible disclosure of any vulnerabilities discovered in our platform. If you believe you have found a security vulnerability, we ask that you report it to us responsibly.
13.1 How to Report
Email: [email protected]
Subject Line: Security Vulnerability Report - [Brief Description]
Please include the following in your report:
- A detailed description of the vulnerability and its potential impact
- Steps to reproduce the issue, including any tools, scripts, or URLs used
- Screenshots or proof-of-concept code (if applicable)
- Your assessment of the severity (Critical, High, Medium, Low)
- Your contact information for follow-up
13.2 Our Commitment
- We will acknowledge your report within 2 business days
- We will provide an initial assessment and expected timeline within 5 business days
- We will keep you informed of our progress in resolving the issue
- We will credit you (with your permission) when the vulnerability is disclosed or resolved
- We will not take legal action against researchers who report vulnerabilities in good faith and comply with this policy
13.3 Guidelines for Researchers
- Do not access, modify, or delete data belonging to other users
- Do not perform actions that could degrade the service for other users (e.g., denial-of-service testing)
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it (minimum 90 days)
- Only test against accounts you own or have explicit permission to test
- Do not use automated scanning tools that generate excessive traffic
- Report vulnerabilities as soon as they are discovered
14. Contact Information
For security-related concerns, vulnerability reports, or questions about our security practices:
Security Team: [email protected]
General Inquiries: [email protected]
Address: 8 The Green, Suite R, Dover, DE 19901, United States
For urgent security matters that require immediate attention, please include "URGENT" in your email subject line. Our security team monitors the security inbox continuously.