# Data Privacy, Access Control and Monitoring As a PCI DSS Level 1–certified payment service provider, we take data protection very seriously. Our goal is to keep your customers' sensitive information safe while making your own compliance requirements as simple as possible. ## Data protection and minimization We have a "zero storage" policy for **sensitive authentication data**. This includes things like CVV codes, PINs, or magnetic stripe data. Once a transaction is authorized, this information is immediately and securely wiped from our systems. ## Advanced encryption and security We use multiple layers of protection to keep cardholder data secure. This includes **AES-256 encryption** for any data we store and TLS 1.2 or higher for any data being sent across the network. For recurring payments, we use **format-preserving tokenization**, which lets you process future charges without ever having to handle the actual card numbers yourself. When you do see card information in our systems, we use **masking** to hide the primary account numbers (PANs), showing only the last few digits. Behind the scenes, we protect this data with strong encryption, rotate our security keys every year, and strictly control who has access to the systems. ## Access control and monitoring We're very picky about who gets access to our systems. We use **multifactor authentication** (MFA) and follow the "least-privilege" principle – meaning our staff only get access to the specific tools and data they need to do their jobs. Every user has a unique ID, so we always know who is doing what. Our Security Operations Center (SOC) is on duty 24/7. They use advanced monitoring tools to watch for any suspicious activity and can respond to threats in real time. We also keep detailed **audit trails**, which are digital logs that record every important action in our system, helping us meet strict compliance rules. ## Compliance and data rights In addition to our PCI DSS Level 1 certification, we also maintain ISO 27001 and ISO 27701 [certifications](/pay/security/certifications.md). These are international standards that prove we have a solid system in place for managing both general security and personal privacy. We're also fully compliant with privacy regulations like the **GDPR**. We want to make it easy for you to respect your customers' privacy. We provide tools to help you handle **data subject rights requests** (when a customer wants to see or delete their data) and give you access to all the compliance documents you might need, such as our Attestation of Compliance (AoC). By working together, we can make sure your business stays safe, compliant, and respectful of your customers' privacy. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/pay/security/data-privacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.