Skip to main content

Security & Compliance

Security Practices

  • All API communication is encrypted in transit via TLS 1.3.
  • API keys are hashed before storage and never returned in plaintext after creation.
  • Webhook payloads are signed with HMAC-SHA256 for origin verification.
  • Tavio uses HSMs (Hardware Security Modules) for private key management of custodial Stellar accounts.
  • Soroban smart contracts are audited by independent security firms prior to mainnet deployment.
  • Tavio operates on Stellar Mainnet only - no shared keys with test environments.

KYC & AML

Tavio performs KYC (Know Your Customer) verification for merchants above certain transaction thresholds and for all on/off ramp users, in compliance with applicable financial regulations. AML transaction monitoring is applied to all payment flows.
  • Merchant KYC: Required for accounts exceeding $10,000/month in processing volume.
  • On/Off Ramp KYC: Required for all users initiating fiat conversion flows.
  • AML screening: Real-time screening against OFAC, UN, and EU sanctions lists.

PCI DSS

Tavio’s hosted checkout (Tavio Gateway) is PCI DSS Level 1 compliant. Card data is never transmitted through or stored on merchant servers when using the hosted checkout flow.