// SECURITY & COMPLIANCE

The smaller our
data footprint,
the safer everyone is.

Quarvo is built on a deliberate architectural choice: we never custody funds, we never store card numbers, and we sit alongside your existing Stripe account rather than between you and it. The result is a security posture that's smaller than it looks on first glance — and easier to audit.

// LAST UPDATED · MAY 2 · 2026 // VERSION · 1.2

Three architectural choices that define our security posture

// PILLAR 01 · NEVER A MONEY TRANSMITTER

Funds never touch Quarvo's accounts

We run as a Stripe Connect platform. Every payment intent is created on the merchant's own Stripe account. Quarvo's fee is collected via application_fee_amount, deducted from the merchant's settlement — we never act as an intermediary holding customer funds. This is a deliberate choice that keeps us out of the money-transmission compliance category and reduces every operational risk that comes with custodying money.

// PILLAR 02 · ZERO RAW PAN STORAGE

We never see, store, or process raw card numbers

Card data is captured by Stripe Elements (PCI-DSS Level 1 compliant) directly in the customer's browser, tokenized to a pm_xxx token, and only the token ever touches Quarvo infrastructure. The raw PAN, CVV, and full expiry are out of scope for our environment. Stripe carries the PCI burden; we benefit from inheriting their controls without inheriting their attack surface.

// PILLAR 03 · ATOMIC OR NOTHING

Customers never see partial charges

The two-phase commit pattern guarantees that all N card authorizations either complete together or none commit. If any auth fails or times out in Phase 1, every successful auth is voided before the customer sees the error. The customer's available credit on each card is restored within minutes. This is a security property as much as a UX one — partial-state failures are how trust is broken.

How data actually flows

The simplest way to understand our security model is to see what data goes where. Card data never touches Quarvo. Personal data is minimal. Merchant funds always settle through the merchant's own infrastructure.

Quarvo data flow — single transaction
// HAPPY PATH · 2-CARD SPLIT · CUSTOMER → MERCHANT
// 01
Customer browser
card data (transient)
// 02
Stripe Elements
pm_xxx tokens
// 03
Quarvo coordinator
tokens + amounts
// 04
Merchant Stripe
N PaymentIntents
What Quarvo stores: tokenized references (pm_xxx), transaction amounts, session IDs, merchant account IDs. What Quarvo never stores: card numbers, CVVs, customer SSN, customer addresses (those stay with Stripe and the merchant).

What we collect from merchants

What we collect from customers

Encryption

In transit

All Quarvo APIs require TLS 1.2 or higher. Internal service-to-service communication uses mutual TLS (mTLS) where possible, plain TLS otherwise. Customer-facing endpoints enforce HSTS with a 12-month max-age and the preload directive.

At rest

Database storage uses AES-256-GCM. Encryption keys are managed in a hardware security module (HSM) rotated quarterly. Sensitive fields (merchant API keys, webhook signing secrets) are wrapped with envelope encryption — even a database breach exposes only ciphertext.

Backups

Encrypted at rest with separate key material from the primary database. Backup access requires multi-party authorization (no single engineer can decrypt). Retention: 30 days hot, 90 days cold.

Compliance roadmap

We're transparent about where we are on each compliance track. Some are in place, some are in progress, and some are planned for once the platform reaches the volume tier where they're required.

Standard / Framework Status ETA
PCI DSS scope reductionvia Stripe Elements tokenization
// LIVE
SAQ A
SOC 2 Type IIannual audit, full report on request
// IN PROGRESS
Q4 2026
CCPA / CPRA complianceCalifornia consumer privacy act
// LIVE
DSAR portal active
GDPR complianceEU general data protection regulation
// LIVE
DPO appointed
ISO 27001information security management
// PLANNED
2027
PCI DSS Level 1 (merchant)required only if we expand PAN scope
// NOT REQUIRED
Stripe carries scope

Subprocessors

The full list of vendors that may process Quarvo customer or merchant data. We notify customers 30 days in advance of any addition. Last reviewed: May 2026.

Stripe
Payment processing, card tokenization, Connect platform infrastructure.
US · IRELAND PCI L1 SOC 2
Vercel
Frontend hosting, edge functions, static asset delivery.
US SOC 2
Supabase
Postgres database, application data, encrypted at rest.
US · EU SOC 2
Cloudflare
DNS, DDoS mitigation, WAF on customer-facing surfaces.
GLOBAL SOC 2
Loops
Transactional and waitlist email delivery.
US SOC 2
Plaid
Bank-level card auth (read-only available-credit data).
US SOC 2

Incident response

If we detect a security incident affecting customer or merchant data, we follow a documented response plan:

  1. Hour 0–1 — Containment. Affected systems are isolated; on-call engineer paged; incident commander assigned.
  2. Hour 1–4 — Triage. Scope of impact determined; preserved evidence collected; preliminary root cause identified.
  3. Hour 4–24 — Customer notification. Affected merchants notified by email and in-dashboard banner. Initial public statement on status page if widely material.
  4. Days 1–7 — Remediation. Root cause fixed in production; controls added to prevent recurrence; post-mortem published internally.
  5. Days 7–14 — Public post-mortem. For incidents affecting more than 5 merchants or any customer card data, we publish a detailed post-mortem on the changelog.

Regulatory notification (GDPR Article 33: 72 hours; state-level breach laws: varies) is handled in parallel with customer notification.

Vulnerability disclosure

If you find a vulnerability, please tell us.

We operate a coordinated vulnerability disclosure (CVD) program. Researchers who report security issues responsibly will receive prompt acknowledgment, regular updates on remediation progress, and (where applicable) public credit in our changelog.

Out of scope: social engineering, physical attacks, third-party services not operated by Quarvo, denial-of-service attacks against production.

Safe harbor: We will not pursue legal action against researchers acting in good faith and within the program's rules.

// EMAIL: security@quarvo.io // PGP: available on request // MEDIAN RESPONSE: < 24h

Need a security questionnaire filled out?

For high-AOV merchants in regulated verticals (healthcare, finance, B2B procurement), we maintain a pre-completed CAIQ-Lite and SIG-Lite ready to share under NDA.

Email security@quarvo.io →