Security & Responsible Disclosure
Last updated: 8 May 2026 · Operated by Nova Skill Edge Limited
Security is foundational to Paycloud. This page describes the technical safeguards we apply to the website and the process for reporting a security issue to us.
Our security posture
Paycloud follows OWASP best-practice guidance for public-facing web applications:
- HTTPS-only — enforced via HSTS with a 2-year max-age,
includeSubDomains, and preload eligibility. - Strict CSP — first-party scripts and styles only, plus narrowly allowlisted Google Fonts; no third-party advertising or analytics.
- Clickjacking protection —
X-Frame-Options: DENYplus CSPframe-ancestors 'none'. - MIME-sniff blocking —
X-Content-Type-Options: nosniff. - Permissions hardening — camera, microphone, geolocation, payment, and USB APIs denied by default via
Permissions-Policy. - Cross-origin isolation —
Cross-Origin-Opener-Policy: same-originandCross-Origin-Resource-Policy: same-originagainst Spectre-class attacks. - Email authentication — outbound mail from
paycloud.moneyis signed with DKIM and aligned via SPF and DMARC, in line with the 2024 Gmail / Yahoo / Microsoft sender requirements. - No third-party trackers — no Google Analytics, no behavioural tracking, no fingerprinting.
- No PII in client storage —
localStorageis used only for the user's theme and language preferences.
Production roadmap
Before any production payment processing, the Paycloud platform will operate under SOC 2 Type II controls and applicable payment-services and crypto-asset licences in each jurisdiction we serve, including, where relevant, the United Kingdom FCA Electronic Money Institution (EMI) framework and crypto-asset registration regime under the Money Laundering Regulations 2017, the European EMI framework and Markets in Crypto-Assets (MiCA) regulation, and equivalent regimes in the United States, Brazil, and Mexico.
Responsible disclosure
Found a security issue? Please report it privately to security@paycloud.money. We will not pursue legal action against good-faith researchers who follow this policy.
What's in scope
paycloud.moneyand any subdomain we operate (currently the apex only).- Email addresses on the
paycloud.moneydomain.
What's out of scope
- Findings that require physical access to a user's device or social engineering of staff.
- Denial-of-service attacks or volumetric load tests of any kind.
- Issues in third-party services we use (e.g., Netlify, Google Workspace) — please report those directly to the relevant provider.
- Reports based purely on missing best-practice headers without a demonstrated impact.
- Spam, phishing, or social-engineering attempts impersonating Paycloud that originate outside our infrastructure (please report these to security@paycloud.money for tracking, but they fall outside our remediation scope).
What to include in your report
- A clear, concise description of the issue and where it was found (URL, parameter, request).
- Steps to reproduce, with sample requests or a proof-of-concept where possible.
- Impact assessment from your perspective.
- Your name or handle if you would like to be credited; otherwise we will treat the report as anonymous.
Our commitments
- We aim to acknowledge receipt within 48 hours (UK business days).
- We aim to provide an initial triage assessment within 5 business days.
- We will keep you reasonably informed of progress until the issue is resolved.
- We will publicly credit you, with your permission, once a fix is deployed.
Safe harbour
Provided that your testing is consistent with this policy, follows applicable law (including the Computer Misuse Act 1990), and is limited to in-scope assets, Nova Skill Edge Limited will:
- Consider your activity authorised under our terms of use, despite Section 4 (Acceptable use) of the Terms & Conditions.
- Not bring or support a private legal action against you in connection with that testing.
- Work with you in good faith to understand and resolve the issue quickly.
Safe harbour does not apply to testing that violates third-party rights, accesses or copies third-party data, or causes service degradation.
Contact
Nova Skill Edge Limited — Security Team
128 City Road, London, EC1V 2NX, United Kingdom
Email: security@paycloud.money