Security

The honest picture, today.

We're a new company handling merchant and customer data. Here's what we do, what we don't, and what's on the roadmap — without the fluff.

Company information
Legal entity
Bystal LLC
Limited liability company, State of Delaware, USA
Mailing address
12909 Mukilteo Speedway, Apt F06
Lynnwood, WA 98087 · United States
General contact
contact@bystal.com
+1 (360) 210-1746

What we do today

  • TLS everywhere. All traffic between your store, our app, and the payment rails is encrypted in transit over TLS 1.2+.
  • Encryption at rest. Databases and object storage are encrypted at rest using managed keys (AES-256) on our cloud provider.
  • Least privilege. Internal access to production data is role-scoped, 2FA-required, and logged. No shared admin credentials.
  • Isolated environments. Production, staging, and development are fully segregated. Merchant data doesn't leave production.

What's in progress

  • SOC 2 Type II — audit scoped, fieldwork underway.
  • Public status page and uptime history.
  • A dedicated trust center covering DPA, subprocessors, and retention schedules.

Reporting a vulnerability

If you think you've found a security issue, we want to know. Email security@bystal.com with reproduction steps and we'll respond within one business day. We don't run a bug bounty yet, but we credit responsible disclosures publicly once fixed.