# Razorpay Security As a financial service provider, we take utmost care of the data you provide us. If you'd like to know more about how to best secure your business and integrate with Razorpay securely, see the following links: ## Compliance We run our business with the strictest data security practices. As a payment service provided dealing with card data, we carry the following certifications: - [PCI-DSS Level 1](https://seal.panaceainfosec.com/index.php?certid=CERTD5F9E9AA65) - [ISO 27001:2013 IEC](https://seal.controlcase.com/index.php?page=showCert&cId=2922528603) - SOC2 We provide copies of our certifications on request to our Enterprise customers. Please reach out via your Key Account Manager. ## Business Security Checklist Our business security checklist offers a guide on how Razorpay Merchants can do their part in securing their online transactions. Each item on the checklist can be answered with a yes or a no question. You can find the checklist [here](/docs/security/checklist). ## Encryption - All Razorpay services are served under TLS, and configured with industry-standard ciphers. - A copy of our TLS certificates for organizations is available at https://razorpay.com/docs/whitelists/. - We follow industry standard AES-128 bit encryption-at-rest for all user data. - Sensitive Data, such as PII utilizes field level encryption. ## Authentication Requests to the Razorpay API are authenticated over [Basic Authentication](https://razorpay.com/docs/api/#api-authentication). ## Firewall If you'd like to limit or authenticate ingress/egress to Razorpay, we provide a [list of IP Address][allowlist] that can be used for the following purposes: - Making requests to the Razorpay API - IP addresses used by Razorpay webhooks ## Fraud and Risk We have a robust fraud detection processes that identifies fraudulent charges and flags them for review. (Need a bit more text here) [allowlist]: https://razorpay.com/docs/whitelists/