What we can prove.
We publish only the controls and certifications we can evidence.
Payment data boundaries
Raw card data is handled by regulated, PCI-DSS Level 1 payment institutions and is not stored by ExosPay.
Encryption
Sensitive data is encrypted in transit and at rest using controls documented in our security program.
Business and sanctions screening
Every applicant is reviewed through business-verification, anti-money-laundering, and sanctions-screening controls before approval.
Audit trails and reconciliation
Transaction records support traceable audit trails, double-entry accounting, and reconciliation review.
Card payments run on regulated, PCI-DSS Level 1 payment institutions. ExosPay is the merchant of record — not a payment processor — and never stores raw card data.
Certifications are published when complete.
Independent audits and certifications are published here as they are completed. We claim only what we can evidence.
Start with a reviewed relationship.
Approved sellers receive written scope, pricing, settlement, and control terms before activation.
Every application is reviewed