Trust, by Design.

SpacePay's payment infrastructure is built with security at every layer. From the smart contract execution environment to the fiat settlement pipeline, every component is designed to minimise attack surface and protect merchant and end-user data.

All data transmitted between merchants, customers, and SpacePay is encrypted using TLS 1.3. API keys and sensitive credentials are encrypted at rest using AES-256. No plaintext secrets are ever stored in application logs or databases.

SpacePay operates on a fully non-custodial basis. At no point do we take possession of, control, or have access to customer crypto-assets or private keys. Transactions flow directly from the customer's wallet through our smart contract layer to settlement.

SpacePay does not generate, store, or manage private keys on behalf of merchants or their customers. Wallet interactions happen entirely client-side through the customer's own wallet application.

Crypto-to-fiat conversion happens at the moment of transaction. Merchants receive the exact fiat amount quoted at checkout, eliminating exposure to price volatility and removing the need for any crypto custody.

SpacePay's smart contract layer validates every transaction at the protocol level. Token type, network, and payment amount are verified on-chain before settlement is initiated. Invalid or unsupported transactions are rejected automatically.

Every payment processed through SpacePay is recorded on the blockchain, providing an immutable, publicly verifiable audit trail. Transaction hashes, timestamps, and settlement references are available to merchants through the dashboard and API.

SpacePay implements comprehensive anti-money laundering and know-your-customer procedures for all merchant onboarding. This includes identity verification, beneficial ownership checks, sanctions screening, and ongoing transaction monitoring powered by Chainalysis.

SpacePay's compliance framework is designed to align with MiCA (Markets in Crypto-Assets Regulation), AMLD6, the Transfer of Funds Regulation, GDPR, and the ePrivacy Directive. We work proactively with legal counsel to adapt to evolving regulatory requirements across all jurisdictions in which we operate.

All transactions are screened in real time against sanctions lists and risk indicators. Suspicious activity is flagged, investigated, and reported to the relevant authorities in accordance with applicable law.

SpacePay processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679. We maintain a comprehensive privacy framework that includes lawful basis assessments, data minimisation, retention policies, and full support for data subject rights including access, rectification, erasure, and portability.

We collect only the personal data strictly necessary to provide our services, fulfil regulatory obligations, and prevent fraud. We do not sell personal data to third parties and do not use it for advertising purposes.

All third-party sub-processors are subject to due diligence, contractual data protection obligations, and ongoing monitoring. A full list of sub-processors is published in our legal documentation.

SpacePay's infrastructure is hosted on enterprise-grade cloud platforms with SOC 2 Type II certification. All environments are isolated, access-controlled, and monitored continuously for anomalous activity.

API access is authenticated via unique merchant API keys with scoped permissions. Rate limiting, IP allowlisting, and webhook signature verification are available to all merchants. All API traffic is served exclusively over HTTPS.

SpacePay maintains a documented incident response plan covering detection, containment, investigation, notification, and remediation. In the event of a security incident affecting personal data, affected parties and supervisory authorities will be notified within the timeframes required by GDPR.

If you discover a security vulnerability, please report it to support@spacepay.co.uk. We take all reports seriously and will respond promptly.