OpenSettle's security model starts with one architectural choice: funds never enter our control. Everything below — keys, signatures, rate limits, residency — protects metadata and access, not money. This page is the engineering-facing summary; the marketing-facing certifications and policies live at /security.
Our Router contract performs an atomic split in a single transaction: in, out to merchant, fee to OpenSettle, done. There is no balance held between transactions, no intermediate pool, no admin upgrade path on the settlement function. The contracts have been audited by Trail of Bits (2025) and Spearbit (2025); reports are public on github.com/opensettle/audits. A successful breach of OpenSettle's infrastructure cannot move merchant funds — only metadata is at stake.
Every webhook carries an Opensettle-Signature header with a timestamp and HMAC-SHA256 over the raw body. Verify it with a constant-time compare and a 5-minute timestamp tolerance — see the Webhooks page for the reference verifier. Endpoint signing secrets are rotatable with a configurable grace period.
Keys come in three classes. Restricted keys are the strongly recommended default for any backend that doesn't need to issue refunds or manage subscriptions.
sk_live_… secret Full read+write. Server-side only.
rk_live_… restricted Per-resource scopes. Created in dashboard.
pk_live_… publishable Front-end safe. Embeds checkout widgets.
# Restricted scope examples
checkouts:write Create and expire checkouts
payments:read Read payment objects
subscriptions:write Create/update/cancel subscriptions
refunds:write Create refunds (requires merchant signature)
webhook_endpoints:rw Manage endpoints + rotate secretsDefault limits are 100 requests/sec per account for read endpoints and 25/sec for write endpoints, with a burst budget of 5× sustained rate for 10 seconds. The RateLimit-* headers are sent on every response. Exceeded requests get a 429 with an explicit Retry-After in seconds. Higher sustained limits are available on Scale and Enterprise plans.
The edge runs on Cloudflare with bot-management and L7 rate-shaping. The hosted checkout origin is fronted by an additional WAF that drops any request without a valid checkout-session cookie before it reaches application code. We've sustained a 410 Gbps L3/L4 attack in late 2025 without merchant impact.
Customer PII (email, name, billing address) is stored in the region you select at account creation: US (us-east-1, us-west-2), EU (eu-west-1, eu-central-1), or APAC (ap-southeast-1). On-chain data is public by definition and is not subject to residency. Cross-region replication is opt-in for disaster recovery; default is in-region only.
SOC 2 Type II report covering Security, Availability, and Confidentiality is renewed annually; the current report (period ending Feb 2026) is available under NDA from the Trust Center. ISO 27001 certification audit is scheduled for Q3 2026. We are not a Money Services Business in any jurisdiction we operate in — non-custody keeps us out of MSB scope.
security@opensettle.com; PGP key on the /security page. Triage acknowledgement within 24h, fix or mitigation timeline within 72h, public disclosure coordinated with reporter.