# Network Security at Hyp We've built our network with security as the foundation, using multiple layers of protection to keep cardholder data safe. Our approach is based on the principle that no network traffic should be trusted by default – everything must be verified and authorized. ## How we protect our network Hyp's network security follows a **zero-trust architecture**, which is a fancy way of saying that we don't trust any connection automatically. Whether a request comes from inside or outside our system, it must be authenticated, authorized, and encrypted. We use a **defense-in-depth** strategy, which means we have multiple security layers (like VLANs, firewalls, and specialized software) stacked on top of each other. Even if one layer were to fail, the others are there to keep things secure. We also make sure all our systems are **hardened** according to industry standards. This means we change all the factory default settings, remove any services we don't absolutely need, and constantly watch for any new threats or unauthorized changes. ## Security controls and monitoring We have a lot of eyes on our systems at all times. Our platform uses **advanced firewalls** that only allow the most necessary traffic through. We also perform regular "health checks" on our security, including quarterly **vulnerability scans**, monthly **internal assessments**, and annual **penetration tests** where we hire experts to try and find any weak spots. Our intrusion detection systems monitor our network segments in real-time, and we have a **security operations center** that stays on watch 24/7. When it comes to software updates, we're quick to act – we apply critical patches within 30 days, and if there's an emergency vulnerability, we can have a fix ready in as little as 24 hours. ## Supported cipher suites We use strong encryption to protect every piece of data that travels across our network. We do this using carefully selected cipher suites, which are the specific algorithms used to encrypt your connection. Here's the current list of supported cipher suites: **TLS 1.3 (Preferred):** * TLS\_AES\_256\_GCM\_SHA384 * TLS\_CHACHA20\_POLY1305\_SHA256 * TLS\_AES\_128\_GCM\_SHA256 **TLS 1.2 (Supported):** * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 * TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 * TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 These lists are regularly updated to stay ahead of new security research. We recommend making sure your own systems match our supported list so you get the best possible security and compatibility. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/pay/security/network-security-at-hyp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.