Security at Sezvo

• 2FA mandatory for any sign-in from a new device
• Biometric authentication on iOS/Android — Face ID, Touch ID, or fingerprint
• Hardware security keys (FIDO2) supported as the second factor on Plus and Metal
• Step-up auth — any high-risk action (new payee over £10k, password change, profile edits) prompts a second confirmation
• Session binding — tokens are device-bound and short-lived (24h refresh, 30-day idle expiry)

• TLS 1.3 with HSTS preload for all production traffic
• AES-256 at rest for everything we store
• Cardholder data tokenised at the rail — we never see the PAN
• Application-level encryption for KYC documents
• Keys rotated annually, key-management via HashiCorp Vault

Every transaction passes through a real-time risk engine that scores the merchant, the device, the location, and the historical pattern of the cardholder. Suspicious activity is paused for a step-up confirmation. We staff a 24/7 fraud-operations team and return funds within 24 hours for any unauthorised transaction you flag in-app.

• EU: deposit-guarantee schemes protect eligible deposits up to €100,000 per depositor
• EU: FSGS (Germany) protects eligible deposits up to €100,000
• Investments: investor-compensation cover up to €22,000 on the cash element
• Crypto: not covered by any guarantee scheme; held in cold storage by a regulated digital-asset custodian
• Funds are segregated from Sezvo's operating capital and reconciled daily

• SOC 2 Type II — annual audit, report available on request under NDA
• PCI-DSS Level 1 — recertified annually
• Penetration testing — twice yearly by a CREST-accredited firm, with a public summary letter
• ISO 27001 — certification in progress, expected Q4 2026

We run a bug-bounty programme on HackerOne. If you believe you have found a security issue, please email security@sezvo.com with steps to reproduce. We respond within one business day, acknowledge severity within five, and reward eligible findings up to €25,000.