Security posture

The short version of what PayDam touches before you connect Stripe.

PayDam is a branded recovery layer around Stripe Smart Retries. Stripe remains your payment processor and billing system. PayDam reads the invoice, customer, subscription, and recovery-event data needed to send branded recovery emails and keep the dashboard current.

Stripe connection scopes

PayDam supports Stripe Connect OAuth and a restricted-key fallback. The manual restricted-key path pre-fills these Stripe permissions:

• rak_customer_read
• rak_invoice_read
• rak_invoice_write
• rak_subscription_read
• rak_payment_method_read
• rak_webhook_endpoint_read
• rak_webhook_endpoint_write
• rak_billing_portal_session_write
• rak_charge_read
• rak_checkout_session_write

Stripe OAuth uses Stripe Connect's read_write authorization flow. PayDam does not request raw card number, CVC, bank-account-number, payout-management, or unrelated charge-initiation access in the restricted-key flow.

Data boundaries

• PayDam stores: account and workspace settings, Stripe account identifiers, invoice and subscription identifiers, customer names and emails where present in Stripe, email delivery and engagement events, recovery status, and billing metadata.
• Stripe stores: payment methods, raw card numbers, CVCs, bank details, payouts, disputes, refunds, and the actual payment attempts.
• Customer recovery flow: a branded recovery email sends the customer to a PayDam signed recovery page, and the action on that page opens Stripe Billing Portal, where the customer adds, removes, or updates their payment method directly in Stripe. PayDam tracks whether the customer reached the recovery flow and whether Stripe later reports the invoice as paid.

No raw card data handled

Card updates happen through Stripe Billing Portal. Raw card numbers, CVCs, and bank details do not touch PayDam infrastructure.

Webhook signature verification

Stripe webhooks are verified by signature before PayDam processes them. OAuth connections receive events through PayDam's platform-level Stripe Connect webhook. Restricted-key connections register a webhook on the connected Stripe account and store the signing secret for that endpoint.

Sub-processors and DPA

The current sub-processor list is published at /legal/sub-processors. The Data Processing Agreement is published at /legal/dpa. Both pages include change terms and the data-processing posture for merchant customer data.

Data retention

Active account and workspace data is retained while the account is active. When an account is deleted, PayDam soft-deactivates the account and the data-retention job hard-purges tenant rows after 30 days, subject to backups, legal holds, billing records, security logs, tax records, and other permitted retention described in the Privacy Policy.

Disclosure and vulnerability reporting

Security reports go to security@paydam.app. The public disclosure policy, scope, and reporting expectations are published at /docs/security. We target an initial response within 48 hours.

---

Related links

• Privacy Policy
• Data Processing Agreement
• Sub-processors
• Disclosure policy
• Report a vulnerability