Forthwell Pay
Security
Last updated July 14, 2026
This page is maintained by Forthwell Pay to answer common security questions about the Platform. It describes current, enabled controls. It is not a certification and is not a substitute for the Bank Partner's own vendor due diligence.
Shared responsibility
- Forthwell Pay operates the software platform, the hosting environment, and application-level controls.
- Your Bank Partner provides banking services (accounts, funds movement, dispute handling) and applies its own information-security program to those services.
- You control your users, credentials, and the data you enter into the Platform.
Access and authentication
- Business customers sign in through the Platform's authentication system. Sensitive data is protected by row-level access rules so a business only sees its own records.
- Bank administrators have a separate, scoped view over their sponsored businesses.
- Administrative access to production systems is limited to authorized Forthwell Pay personnel and logged.
Encryption
- Traffic to the Platform is served over HTTPS/TLS.
- Data at rest is stored on managed cloud infrastructure with provider-managed encryption at rest.
- Bank account references shown in the product are masked; full account numbers are never displayed.
Data segregation
Customer data is logically separated by tenant (Bank Partner) and by business. Row-level access rules are enforced in the database so that queries can only return records the requesting user is authorized to see.
Monitoring and logging
- Application and infrastructure logs are collected for reliability and security review.
- Errors are captured with automated reporting so we can respond quickly.
- Automated dependency and configuration scanning runs against the project.
Incident response
If Forthwell Pay identifies a security incident affecting customer data, we will notify the affected Bank Partner without undue delay and support the Bank Partner's own customer-notification obligations. Business customers should also contact their Bank Partner directly for guidance on any incident affecting banking services.
Reporting a vulnerability
If you believe you have found a security vulnerability, please email info@forthwellpay.com with details and steps to reproduce. Please do not publicly disclose an issue before we have had a reasonable opportunity to investigate and remediate.
What we do not claim
- Forthwell Pay does not claim SOC 2, ISO 27001, PCI DSS, HIPAA, or similar certification on this page. If your Bank Partner requires evidence of a specific control framework, contact us and we will coordinate through the Bank Partner's vendor management process.
- No system is perfectly secure. Nothing on this page is a warranty; see the Terms of Service for applicable disclaimers.
Contact
Forthwell Pay — info@forthwellpay.com