Security & Compliance

Bank-grade security.
Built under EU law.

Paylo is built in Berlin, Germany. Every invoice, approval, and payment is protected by the highest security standards — GDPR compliant, PSD2 partner, AES-256 encrypted.

🔒
GDPR CompliantEU data protection
🏦
PSD2 PartnerLicensed Open Banking
🔐
AES-256 EncryptedBank-grade encryption
🇩🇪
Built in BerlinData stays in the EU
Security overview

Six layers of protection on every payment

Paylo applies multiple independent security controls so that no single failure can compromise your agency's payments.

AI Fraud Detection

Every invoice is scanned before processing. Duplicate invoices, unusual amounts, unknown vendors, and changed payment details are automatically flagged for review before any payment is sent.

🔐

AES-256 Encryption

All bank tokens and sensitive data are encrypted at rest using AES-256-CBC. Data in transit is protected by TLS 1.3 — the same standard used by major European banks.

📋

Full Audit Logs

Every invoice action, approval decision, and payment is timestamped and permanently logged. Exportable as CSV at any time for compliance review, accountants, or GDPR data subject requests.

🏦

PSD2 Open Banking

Bank connections use licensed PSD2 Open Banking providers only. Your bank credentials are never seen or stored by Paylo — authorisation uses short-lived OAuth tokens revocable at any time.

👁️

No Credential Storage

Paylo never stores your online banking username or password. Bank connections use OAuth 2.0 tokens with the minimum required permissions. You can revoke access from your bank at any time.

🔒

Row-Level Security

Every database table enforces row-level security at the database layer — not just the application. Each agency can only access their own data, enforced independently of the application code.

Data protection

GDPR compliance

Paylo is headquartered in Berlin, Germany and fully complies with the General Data Protection Regulation (EU) 2016/679.

Your rights under GDPR are fully supported

Every GDPR data subject right is available to Paylo users directly from the Account settings page — no need to contact support. Data export and account deletion are available in one click.

Article 15
Right of access
Request a copy of all your personal data held by Paylo at any time.
✓ Supported — data export
Article 16
Right to rectification
Correct inaccurate personal data from your account settings.
✓ Supported — account settings
Article 17
Right to erasure
Delete your account and all associated data permanently in one click.
✓ Supported — one-click delete
Article 20
Data portability
Export all your invoices, payments, and vendor data as CSV anytime.
✓ Supported — CSV export
Article 21
Right to object
Object to processing of your personal data for any purpose.
✓ Supported — contact us
Article 32
Security of processing
Personal data is encrypted at rest and in transit using industry-standard methods.
✓ AES-256 + TLS 1.3
Payment regulation

PSD2 compliance

Paylo operates as a technology platform using licensed PSD2 Payment Initiation Service Providers (PISPs) for all bank connections.

🏦

Licensed Open Banking providers

All bank connections are made through regulated PSD2 Open Banking providers licensed by their respective national competent authorities. Paylo never directly connects to banks — licensed intermediaries handle all bank communication under PSD2 regulation.

Strong Customer Authentication

All payment authorisations require Strong Customer Authentication (SCA) as mandated by PSD2. Clients authorise payments through their bank's own secure authentication interface — Paylo never handles authentication credentials.

🔑

OAuth 2.0 authorisation only

Bank connections use OAuth 2.0 with limited scopes — payment initiation only. Read-only account information is requested separately and only when explicitly authorised. Tokens can be revoked by the client at their bank at any time.

📋

Payment audit trail

Every payment initiated through Paylo is logged with a unique reference, timestamp, amount, beneficiary, and authorising user. This provides a complete, tamper-evident record for regulatory review or dispute resolution.

Fraud prevention

AI fraud detection

Every invoice is scanned by our AI engine before any human sees it. Suspicious invoices are flagged automatically — preventing fraud before it happens.

1
Duplicate invoice detection
Every invoice is checked against your history. Same invoice number, same amount from the same vendor in the same period triggers an automatic NEEDS_REVIEW flag before the invoice enters your queue.
2
Unusual amount detection
Invoices significantly above a vendor's historical billing pattern are flagged. If your regular design freelancer suddenly invoices three times their usual rate, the AI catches it.
3
First-time vendor threshold
New vendors above your configurable threshold are always sent through manual approval — regardless of auto-approve rules. New vendor, new bank details always require a human decision.
4
Changed payment details alert
If a vendor's bank account details change, every subsequent invoice from that vendor is automatically flagged. This catches one of the most common forms of business email compromise (BEC) fraud.
5
Approval chain protection
For invoices above your threshold, multiple people must approve before payment releases. No single compromised email account can result in an unauthorised payment.
Infrastructure

Where your data lives

All Paylo infrastructure is located within the European Union. No data is transferred to the United States or other third countries without appropriate GDPR safeguards.

ComponentProviderLocation
Application server Hetzner Cloud CPX22 Nuremberg, Germany 🇩🇪 EU
Database Supabase (PostgreSQL) EU region (Frankfurt) 🇩🇪 EU
Email delivery Resend GDPR-compliant, EU data processing available EU
AI processing Proprietary AI engine Invoice text processed in-memory — not stored or retained by the AI provider
Payment initiation Yapily (PSD2 licensed) UK/EU regulated Open Banking provider EU
SSL certificate Let's Encrypt TLS 1.3 enforced on all connections
Summary

Compliance checklist

A quick reference for procurement, legal, and compliance teams evaluating Paylo.

Data protection

  • GDPR compliant — headquartered in Berlin, Germany
  • All data stored within the European Union
  • Data export available at any time (CSV)
  • Account and data deletion in one click
  • No data sold to or shared with advertisers
  • Data minimisation — only necessary data collected

Payment security

  • PSD2 compliant — licensed Open Banking providers only
  • Bank credentials never stored or accessed by Paylo
  • OAuth 2.0 authorisation with minimal required scopes
  • Strong Customer Authentication (SCA) enforced
  • AI fraud detection on every invoice
  • Full payment audit trail — permanently logged

Infrastructure security

  • AES-256-CBC encryption for all sensitive data at rest
  • TLS 1.3 enforced on all connections
  • Row-level security on all database tables
  • Each agency's data isolated at database level
  • Regular automated backups
  • Server located in Germany (Hetzner)

Access controls

  • Invite-only onboarding — no open registration
  • JWT-based authentication on all API requests
  • Admin panel restricted to authorised email only
  • Approval chain email tokens expire after 7 days
  • Password reset via secure email link only
  • One-click sign out from all devices

Questions about security or compliance?

Our team is based in Berlin and happy to answer questions from your legal, procurement, or compliance team.

Contact our team View pricing