Security at Spreedly

Nothing’s more important than your peace of mind and confidence when processing a transaction through the Spreedly platform. Our platform processes over $30 billion in digital commerce transactions annually and it is our goal to bring a flexible and secure payments strategy to all businesses.

Below are just a few of the ways that Spreedly takes proactive steps both online and offline to ensure your customer’s financial information is secure, while still allowing you to process transactions seamlessly.

“Security is a foundational tenet at Spreedly and it is, in part, how we gain trust from our customers. We are committed to meeting and exceeding security and compliance requirements in order to properly support our growing, global customer base.”

— Jennifer Rosario, Chief Information Security Officer (CISO)
a person sitting at a laptop with an image of a credit card and a safe above them
Compliance and Certificates
Spreedly is certified for a number of compliance standards and undergo third party audits to test for data safety, privacy and security. Below we have included an overview of the certifications and links to additional information when needed.
SOC 2 Type 2 certification

Spreedly has passed its SOC 2 Type 2 audit with no exceptions. Read more here.

Level 1 PCI

Spreedly is Level 1 PCI compliant — the highest and strictest level — and is on the Visa Global Registry of Service Providers and the Mastercard SDP Compliant Registered Service Provider list. You can find our supporting documentation on our PCI page. You can also view our attestation of compliance here.

PCI Security Standards Council  (PCI SSC)

Spreedly partners with other participating organizations to work with the PCI SSC to help secure payment data worldwide through the ongoing development and adoption of the PCI Security Standards. Learn more about our participation here.


Spreedly’s 3DS2 solution is a multi-factor authentication protocol used to confirm digital identity during card not present checkout to prevent fraud. The solution is EMVCo certified including our iOS and Android SDKs as well.

Network Tokenization

Spreedly is a vendor neutral Network Token Provider  and certified with both Visa and Mastercard. Knowing that Network Tokenization requires a cryptogram on the initial creation this provides an added layer of security when vaulting and using cards for future use. More information can be found here.

Personal Data Use And Processing


Spreedly is General Data Protection Regulation (GDPR) compliant effective May 25th 2018, and will maintain GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed. More information about our GDPR compliance can be found here.

Privacy Shield

Spreedly remains a member of the US Privacy Shield which may afford customers with additional enforcement options as data protection laws are enforced in-country by the U.S. Department of Commerce. Spreedly also utilizes Standard Contractual Clauses with EU Data Controllers to ensure compliance with EU law regarding data protection. View our Privacy Policy here.


Is Spreedly impacted by the log4j vulnerability?

Spreedly conducted a log4j vulnerability investigation of our critical vendors and the vulnerability was either not applicable or remediated. The log4j risk to Spreedly has been deemed low risk.

Hosting Security

Spreedly operates in a cloud based environment via AWS with multiple mechanisms in place to ensure resiliency and business continuity. For more information please reference the AWS datacenter PCI L1 compliance page,  which certifies extensive physical protections as well, and houses various other banking, government, and security agencies.

Data in Transit

Spreedly requires TLS v1.2 for its Core transactional API when support by the connecting client. Beyond that single requirement, Spreedly’s secure configuration currently warrants an A+ rating from SSL Labs, meaning that Spreedly’s website security is resilient to attacks exploiting older weaker TLS versions.

Data at Rest

Spreedly uses the Advanced Encryption Standard (AES) with 256-bit keys when encrypting confidential data within the vault.  Each confidential record within the vault is encrypted using a separate, randomly generated, encryption key.  This key itself is then further protected by encrypting with an asymmetric key (RSA, 2048 bits).

Corporate Security

Ongoing Security Evaluation

Vulnerability Management / Penetration Testing / Red-Team Exercises.

These terms mean different things to different organizations but they each share in representing a continuum of constantly assessing and improving information security — from known patchable vulnerabilities, syntactical coding exploits, and semantic process deficiencies. Spreedly performs all three of these assessment types (including social engineering tests such as phishing tests) on a regular basis in addition to process-only table top exercises that seek to assess and improve our incident response to common likely and impactful threats such as ransomware.

Continued Approach to Security

From an architectural perspective, Spreedly seeks to embrace Google’s BeyondCorp security ideals where access to resources are fully authenticated, fully authorized, and fully encrypted based upon user credentials (with Multi-Factor Authentication). And we measure our resilient information security posture against the NIST Cyber Security Framework, bettering our ability to prevent, detect, and respond to information security attacks.


Contact Us and we'll get your questions answered.

See Payment Services
See Payment Gateways
Get Your Payments Grade
Contact Us
mathias fonseca's photo
Hover me!
"Extremely clear documentation and awesome testing environment. It took me literally 20 minutes to test everything"
Mathias Fonseca
peter moody's photo
"Spreedly has allowed us to keep our development time focused on improving our platform.”
Peter Moody
Justin wheeler's photo
"Leaning on Spreedly's technology is going to allow you to get to market faster.”
Justin Wheeler
armando rivas logo
"Cabify is a global business, working with different gateways. In this scenario, the fact of being informed about their behaviour is key, as minimal issues could lead to a severe economic impact."
Armando Rivas
lance carlson's photo
"There's a lot of compliance and security issues that come along with taking payments. That's actually a big reason why we came to Spreedly."
Lance Carlson

Hundreds of Happy Customers

See why 500+ innovative companies use Spreedly to orchestrate their payments.