Security
Lyonl is designed to support PCI‑minded workflows: careful data handling, secure defaults, least privilege, and auditability. We do not claim certification without third‑party assessment.
Principles
Designed for payment-sensitive operations
- Minimize sensitive data exposure: avoid storing payment card details in application databases and logs.
- Secure defaults: strong headers, secure cookies, and predictable session handling.
- Least privilege: role boundaries and constrained staff operations.
- Auditability: operational logs and review-friendly staff actions.
Exact payment handling depends on your payment provider integration and configuration.
Data protection
Encryption and access controls
- Encryption in transit and at rest at the infrastructure layer (where supported by your deployment).
- Secure session/cookie posture (HttpOnly, Secure, SameSite) and CSRF-minded patterns where relevant.
- Environment separation (staging vs production) to reduce operational risk.
- Secret management patterns designed to keep credentials out of source control.
Operations
RBAC, audit logging, and least privilege
- Role-based access control with a deny-by-default mindset for admin areas.
- Audit-friendly staff workflows for sensitive actions (refunds, voids, ticket changes).
- Operational logging designed for incident review and post-event questions.
- Principled configuration: explicit settings over hidden defaults.
Incident response
Preparedness without overpromising
- Clear logging and change tracking to support investigation.
- Separation of duties and least privilege to limit blast radius.
- Documented runbooks for deployment and operational changes.
- Continuous testing to reduce regressions and security drift.
Incident response timelines depend on your contractual terms and environment.
See Lyonl against your workflow
Get a demo that focuses on your operations: configuration, roles, scanning, refunds, reporting, and integration needs.