What we protect, how, and what we have not built yet.
PayHQ handles supplier invoices and bank details for finance teams. This is the single place your security, legal, and procurement reviewers can self-serve — including an honest account of the controls we have not finished.
Who operates PayHQ
PayHQ is operated by FIT PUP LTD, a company registered in England & Wales (company no. 15766852, VAT GB469891911), registered with the ICO under ZC064795. We are a small team building toward a first pilot.
Governance, stated plainly
At our current size we do not run a 24×7 security operations centre; incident response runs through the engineering on-call rota. We have not yet appointed a formal Data Protection Officer — data-protection responsibility sits with the founding team and is reachable at [email protected]. We will appoint a DPO before we onboard production customers at scale.
Find your lane
Evaluating PayHQ for procurement
You want the short posture summary and the honest gaps.
Security Status →Filling in a vendor security questionnaire
You want our controls, mappings, and a downloadable self-assessment.
CAIQ self-assessment →Drafting or reviewing a DPA
You want our processor terms, sub-processors, and transfer position.
Data Processing Agreement →Auditing our supply chain
You want every third party that can touch data, and where it sits.
Sub-processors →Reporting a vulnerability
You want our disclosure policy, scope, and safe-harbour position.
Disclosure policy →Compliance posture at a glance
We use the exact word for each state. “Readiness” is not “certified”; “working toward” is not “compliant”. The Security Status page carries the control-by-control detail, and the Security Roadmap is the single register of what is not done.
| Framework | Position | State | Note |
|---|---|---|---|
| UK GDPR & DPA 2018 | Working toward | Partial | Registered with the ICO (ZC064795). Processor by default on the main data path; DPA, Privacy Notice, and records of processing are being formalised. |
| EU GDPR | In scope for EU customers | Partial | Applies extraterritorially (Art. 3(2)) for EU customers such as the Swedish pilot; intended to be addressed via EU SCCs and the UK IDTA/Addendum. The EU controller → UK processor → US sub-processor transfer chain is still being confirmed with counsel before signing (see the DPA). |
| ISO/IEC 27001:2022 | Readiness, not certified | Planned | Readiness work underway (gap assessment against the standard); not a completed or audited programme. Physical controls inherited from Hetzner. Not currently certified. |
| CSA CAIQ v4 | Self-assessment | Partial | Published per-domain self-assessment with a downloadable copy — not an audit. |
| SOC 2 | Not audited | Planned | Gated on first US enterprise demand. |
| NIS2 | Not directly in scope | Not applicable | We are a UK entity and not an in-scope operator. These artefacts help EU customers discharge their own Art. 21(2)(d) supply-chain diligence about us. |
| PCI DSS | Not applicable | Not applicable | We process bank-account identifiers, never cardholder data. |
| PSD2 / FCA authorisation | Out of scope | Not applicable | Not a payment service provider; we never initiate, hold, or move funds. |
Working with us
- We will complete your security questionnaire — or point you at our CAIQ self-assessment if that is faster.
- We sign a Data Processing Agreement; the template is published in full.
- Everything here is public and un-gated, so your security, legal, and procurement teams work from the same source. Our working risk register (the public risk IDs map to it) and other internal detail are shared under NDA, and our formal ISMS documents — including the Statement of Applicability, still in progress — are shared as they mature.
Security: [email protected] · Privacy: [email protected] · General: [email protected]