Security — AloraPay

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. All payment data tokenised via PCI-DSS certified processor.

PCI-DSS compliant

Card data never touches AloraPay servers. We partner only with certified payment processors.

24/7 monitoring

Real-time anomaly detection, automated alerts, and a dedicated on-call security rotation.

Infrastructure Security

AloraPay is hosted on enterprise-grade cloud infrastructure with built-in physical and logical security controls.

ISO 27001 certified data centres

All production infrastructure resides in data centres with ISO 27001 certification, 24/7 physical security, and biometric access controls.

Network segmentation

Production, staging, and development environments are strictly isolated. Payment processing infrastructure is in a dedicated network zone with additional perimeter controls.

DDoS protection

Automated DDoS mitigation with real-time traffic analysis and capacity-based rate limiting to maintain platform availability during attack events.

High availability architecture

Multi-zone redundancy with automatic failover ensures restaurant operations are not disrupted by single infrastructure failures. Target uptime: 99.95%.

Encryption

In Transit

All data transmitted between clients (guest browsers, admin dashboards, kitchen displays) and AloraPay servers is encrypted using TLS 1.3. We enforce HTTPS-only connections with HTTP Strict Transport Security (HSTS) headers and reject connections using deprecated protocols (TLS 1.0, 1.1).

        # TLS configuration headers served on all AloraPay endpoints
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'
Referrer-Policy: strict-origin-when-cross-origin
      

At Rest

All data stored by AloraPay — including transaction records, merchant account data, and operational logs — is encrypted at rest using AES-256. Encryption keys are managed using a dedicated key management service with automatic rotation on a 90-day cycle.

Database Encryption

Database volumes are encrypted at the storage layer. Sensitive fields — such as bank account references and tax identifiers — are additionally encrypted at the application layer using field-level encryption before storage.

Payment Security

Payment card data is among the most sensitive data processed through AloraPay. We have designed our architecture so that raw card data never enters our systems.

Card data never touches AloraPay servers

Card entry is handled entirely within an iframe served by our PCI-DSS Level 1 payment processor. AloraPay receives only a payment token — never raw card numbers, CVCs, or full expiry dates.

PCI-DSS Level 1 compliance

Our payment processing partners hold PCI-DSS Level 1 certifications — the highest available. AloraPay itself maintains SAQ-A eligibility because card data is never processed or stored on our infrastructure.

Fraud detection

Real-time transaction analysis checks velocity, device signals, and behavioural patterns to identify and block suspicious payment attempts before they complete.

3D Secure support

AloraPay supports 3D Secure (3DS2) authentication for card transactions where required by the issuing bank or requested by the Merchant, providing an additional layer of cardholder verification.

PCI-DSS SAQ-A TLS 1.3 Enforced AES-256 Encryption

Access Controls

Internal Access

AloraPay employees follow strict least-privilege access principles. Access to production systems and customer data is granted only to individuals with a documented operational need, is time-limited, and is reviewed quarterly. All privileged access requires multi-factor authentication (MFA).

Merchant Admin Access

Merchant admin dashboard accounts are protected by:

Strong password requirements (minimum 12 characters, complexity rules enforced).
Multi-factor authentication — available to all Merchants, mandatory for accounts with payment configuration access.
Role-based access control (RBAC) — Merchants can grant staff restricted access with view-only or operational roles.
Session timeout after 30 minutes of inactivity.
Login anomaly detection with automated alerts for unusual sign-in patterns.

Audit Logging

All administrative actions — including menu changes, table configuration updates, and payout adjustments — are recorded in a tamper-evident audit log. Merchants can review their own audit log in the admin dashboard. AloraPay retains audit logs for a minimum of 2 years.

Application Security

Secure Development Lifecycle

Security is integrated into every stage of our development process — from design reviews that assess threat models, to mandatory security code review for all changes touching authentication, payments, or data access, to automated static analysis in the CI/CD pipeline.

Penetration Testing

AloraPay engages independent third-party security firms to conduct annual full-scope penetration tests. Critical findings are remediated within 14 days. A summary of the most recent assessment is available to Merchants on request under NDA.

Dependency Management

All third-party software dependencies are tracked using a software bill of materials (SBOM). Automated vulnerability scanning runs daily, and critical CVEs are patched within 48 hours of disclosure.

OWASP Top 10

Our application security programme is aligned with the OWASP Top 10 framework. We maintain controls against injection attacks, broken authentication, cross-site scripting (XSS), CSRF, insecure deserialization, and all other categories in the current OWASP Top 10.

Monitoring & Incident Response

24/7 Security Operations

Our infrastructure is monitored continuously with automated anomaly detection. An on-call security engineer is available at all times to investigate and respond to alerts.

Incident Response

In the event of a confirmed security incident, AloraPay follows a structured response process:

Detection & containment: Within 1 hour of confirmed incident.
Merchant notification: Within 24 hours if merchant or guest data is involved.
Regulatory notification: Within applicable statutory timeframes in each operating jurisdiction.
Root cause analysis & remediation: Published internally within 5 business days.

Business Continuity

AloraPay maintains tested business continuity and disaster recovery plans. Recovery time objectives (RTO) and recovery point objectives (RPO) are validated through scheduled drills twice per year.

Compliance & Certifications

AloraPay operates across multiple regulatory jurisdictions and maintains compliance with applicable standards in each territory:

Trinidad & Tobago: Data Protection Act 2011; Payment Systems Act compliance as administered by the Central Bank of Trinidad & Tobago (CBTT).
Jamaica: Data Protection Act 2020.
Guyana: Applicable financial services regulations administered by the Bank of Guyana.
ECCU territories: ECCB regulatory guidelines for electronic payment systems.
Ghana: Data Protection Act 2012 (Act 843); Bank of Ghana payment systems directives.
Global: PCI-DSS for payment card data handling; GDPR-aligned principles applied globally as a baseline standard.

Data Handling & Retention

AloraPay applies data minimisation principles — we collect only what is necessary to operate the platform and comply with legal obligations. Data is classified by sensitivity and handled accordingly:

Payment tokens: Retained only for chargeback and dispute resolution purposes (up to 18 months), then purged.
Transaction records: Retained for 7 years to meet accounting and tax compliance requirements.
Operational logs: Retained for 90 days, then deleted or anonymised.
Audit logs: Retained for 2 years in tamper-evident storage.
Guest session data: Purged at session end; anonymised analytics retained for 90 days.

Data deletion requests from Merchants or guests are processed within 30 days, subject to mandatory retention obligations. See our Privacy Policy for full details.

Security Best Practices for Merchants

AloraPay can only protect what falls within our control. We strongly recommend Merchants take the following steps to protect their accounts and their guests:

Enable multi-factor authentication (MFA) on all admin dashboard accounts — especially owner and manager accounts.
Use unique, strong passwords for AloraPay accounts. Do not reuse passwords from other services.
Review your admin account user list regularly and remove access for staff who have left or changed roles.
Keep the devices used to access the admin dashboard updated with the latest operating system and browser security patches.
Be alert to phishing attempts. AloraPay will never ask for your password via email, phone, or chat.
Report any suspicious account activity immediately to security@alorapay.com.

Responsible Disclosure

We welcome the security research community's help in identifying vulnerabilities in the AloraPay platform. If you believe you have found a security vulnerability, please report it to us responsibly.

Reporting a vulnerability

📧 security@alorapay.com

Please include a clear description of the vulnerability, steps to reproduce, and your assessment of its potential impact. We will acknowledge your report within 48 hours and aim to provide a resolution timeline within 5 business days.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it. We will credit researchers in our security acknowledgements for verified findings, with their consent.

AloraPay does not operate a bug bounty programme at this time, but we are grateful for responsible disclosures and will recognise contributors publicly.

Contact Our Security Team

For security enquiries, incident reports, or questions about our security programme, contact us at:

AloraPay Security Team

📧 security@alorapay.com — for vulnerability reports and security enquiries

📧 privacy@alorapay.com — for data protection and privacy matters

📬 AloraPay Limited., Port of Spain, Trinidad & Tobago

For urgent security matters such as suspected breaches or active fraud, please mark your message "SECURITY — URGENT" for priority handling.

Security at AloraPay