useroutr
Legal

Security at Useroutr

How we protect the payment infrastructure you depend on — architecture, controls, audits, and the responsibilities we share with you.

Last updated · May 1, 2026
[01]

On-chain settlement, managed keys by default

Settlement happens on-chain. Payments and payouts move directly through the underlying networks (Stellar, Visa Direct, ACH, MoneyGram, etc.) from payer to your settlement destination — the funds never sit on a Useroutr balance sheet.

By default, Useroutr provisions and manages a Stellar settlement wallet on your behalf so you can accept payments from day one. The private key for that wallet is encrypted at rest under a KEK held in a managed secrets store, used only to forward funds to you. You can withdraw the balance to a wallet you control at any time, and you can upgrade to a self-custody settlement wallet (passkey or bring-your-own) whenever you choose.

Funds and payouts still move directly via the underlying networks (Stellar, Visa Direct, ACH, MoneyGram, etc.) — Useroutr is the orchestrator, not the destination. Our infrastructure routes, observes, and reconciles — it does not hold balances.

This architecture reduces the blast radius of any compromise: there’s no honey pot of customer funds at Useroutr to steal.

[02]

Encryption in transit & at rest

  • All traffic between your systems and Useroutr is protected with TLS 1.3 and modern cipher suites. HTTP-only endpoints are rejected.
  • Data at rest in our primary databases and object storage is encrypted with AES-256, with keys managed in AWS KMS and rotated annually.
  • Sensitive fields (API secrets, signing keys, KYB documents) are additionally encrypted at the application layer with envelope encryption.
[03]

Access controls

Engineer access to production systems is granted on a least-privilege basis, requires hardware-key MFA, and is audited via SSH/console session logs. Production secrets are never stored on developer laptops.

Internal access changes whenever an employee’s role changes or they leave the company. Quarterly access reviews are run by our security team and signed off by the relevant manager.

[04]

Audits & certifications

Useroutr is currently completing its SOC 2 Type II audit. Until the report is available, customers under NDA can request the observation period and any control summaries from our security team.

Annual third-party penetration tests of our application and infrastructure are conducted by an independent firm. Executive summaries are available on request.

[05]

Network & infrastructure

The Useroutr platform runs on AWS in geographically separated regions with multi-AZ failover for stateful services. Traffic is fronted by a WAF that rate-limits and filters common attack patterns.

Background jobs, webhook delivery, and reconciliation run in private subnets without inbound public access. Egress is restricted to allow-listed payment networks and core service dependencies.

[06]

Vulnerability disclosure

We welcome reports from independent researchers. If you believe you’ve found a vulnerability in the Useroutr platform, email security@useroutr.com with the details. We will acknowledge within one business day and work with you in good faith to triage and remediate.

We do not currently operate a paid bug bounty program but we maintain a public hall of fame for verified reports.

[07]

Incident response

Useroutr maintains a documented incident-response plan covering detection, containment, eradication, recovery, and post-incident review. We will notify affected customers without undue delay when a confirmed incident materially impacts the security or availability of the Services.

[08]

Customer responsibilities

  • Treat API keys like passwords. Never embed them client-side.
  • Rotate keys regularly and remove access when team members leave.
  • Verify webhook signatures using the secret in your dashboard before acting on any event payload.
  • Use hardware security or MPC for any wallet you connect as a settlement destination.
  • Enable MFA for every user in your Useroutr dashboard.