Cartico
Security & Trust

Built to keep your store safe.

Security is not a feature — it's the foundation. Here's how we protect every merchant and every customer on Cartico.

PCI-DSS Compliant
GDPR Compliant
TLS 1.2+ Encryption
ISO 27001 Infrastructure
EEA Data Residency
RBAC & Audit Logs

Security by design

Every layer of the Cartico platform is built with security as a first principle.

Encryption at rest & in transit

All data is encrypted at rest using AES-256. All traffic is encrypted in transit over TLS 1.2+. SSL certificates are provisioned automatically for every store domain.

PCI-DSS compliance

Cartico is PCI-DSS compliant. We never store raw card data — payment credentials are handled exclusively by certified payment processors (Stripe, Teya, etc.).

Secure infrastructure

Hosted on ISO 27001-certified infrastructure with automated backups, redundant availability zones, and 24/7 infrastructure monitoring.

Access control

Role-based permissions for every team member. Admin actions are logged with full audit trails. Two-factor authentication is available on all accounts.

Automatic security updates

Our platform dependencies are continuously monitored for vulnerabilities. Critical patches are deployed within 24 hours of disclosure.

GDPR & data residency

Cartico is operated from Iceland — within the European Economic Area — and fully compliant with GDPR. We never sell merchant or customer data.

Technical practices

What we do under the hood to keep the platform hardened.

  • All passwords are hashed with bcrypt (cost factor 12+)
  • Session tokens are rotated on every login and invalidated on logout
  • Rate limiting applied to all authentication endpoints
  • SQL queries use parameterised statements throughout — no raw interpolation
  • Dependencies audited automatically on every deployment
  • Subresource integrity (SRI) enforced on all third-party scripts
  • HTTP security headers configured on all responses (CSP, HSTS, X-Frame-Options)
  • Webhook payloads signed with HMAC-SHA256 for tamper detection

Responsible disclosure

If you discover a security vulnerability in Cartico, please report it to us privately. We take all reports seriously and will respond within 48 hours. We ask that you do not publicly disclose the issue until we have had a chance to address it.

security@cartico.com

Questions about security?

Our team is happy to answer security questions for enterprise customers and partners.

Contact us Privacy Policy