Security & risk management
EvoPay combines regulated financial operations with a purpose-built VirtuOZ platform. Our objective is to meet expectations typical of licensed institutions: clear governance, defensible technology, and proportionate controls across people, processes, and systems.
Principles
- Defense in depth: no single control is relied on in isolation; layers cover identity, sessions, application logic, and operations.
- Least privilege: access to sensitive actions and data is limited to what is required for a given role or workflow.
- Transparency: this page summarizes how we protect funds and data; detailed legal commitments appear in our Terms, Privacy Policy, and Compliance materials.
Regulatory & governance posture
EvoPay LLP provides financial services under the laws of the Republic of Kazakhstan, with supervision aligned to our licensing framework. We maintain an AML/CFT program proportionate to our products and risk profile, including customer due diligence, monitoring, and escalation paths for unusual activity.
VirtuOZ platform controls
The product layer implements controls consistent with common industry practice for financial web applications:
- Passwords: stored using Argon2 password hashing (never in plain text).
- Two-factor authentication: optional TOTP (authenticator app) via /dashboard/security; MFA material is protected at rest in the database using encryption.
- Sessions: browser sessions use hardened cookie attributes (HttpOnly, SameSite, and Secure when served over HTTPS); access tokens are issued with lineage metadata to support controlled rotation.
- CSRF protection: state-changing requests are protected with anti-CSRF tokens to reduce cross-site request forgery risk.
- Role separation: customer and administrative flows are separated; privileged operations require appropriate authentication.
Protecting funds & transaction integrity
| Area | What we apply |
|---|---|
| Segregation | Client balances are held distinctly from operational funds, in line with partner-banking arrangements appropriate to our regulated model. |
| Escrow workflows | Deal funds follow defined states in the platform so release is tied to contract milestones and approvals—not ad-hoc manual transfers. |
| Fiat operations | Certain fiat deposits and withdrawals may pass through manual review and compliance checks before balances finalize. |
| Monitoring & policy | Transaction monitoring and currency/sanctions policy controls support consistent enforcement across supported rails. |
| Payout discipline | Money movement requires strong customer authentication consistent with your security settings. |
Data protection & privacy
| Layer | Implementation |
|---|---|
| Transport | TLS for traffic between your browser and our services in production configurations. |
| Storage | Sensitive credentials and key material are protected with encryption and strict access boundaries; broader datasets are handled according to data-minimization and retention policies. |
| Access & operations | MFA for high-risk internal roles where applicable; administrative actions are designed to be traceable for investigation and audit. |
| Privacy by design | We collect what we need to onboard, settle, and comply; Kazakhstan personal-data rules inform our processing practices. |
KYC & financial crime prevention
- Tiered verification: identity documents and, where required, liveness-style checks to reduce impersonation risk.
- Screening: watchlist and sanctions-oriented checks integrated into onboarding and ongoing monitoring.
- Manual review: compliance analysts examine edge cases and higher-risk profiles when automated signals are insufficient.
People, vendors & resilience
- Staff access is governed by internal policies; security and privacy training is part of operational discipline.
- Critical vendors are selected and overseen with due diligence appropriate to the services they provide.
- Business continuity and incident response plans are maintained commensurate with our size and complexity; we run periodic technical assessments and use widely recognized control frameworks (for example, SOC 2–style criteria) as a benchmark—not as a substitute for regulatory obligations.
Your responsibilities
- Enable 2FA in /dashboard/security and store backup codes safely.
- Use a unique, strong password for EvoPay; do not reuse credentials from other sites.
- Stay alert to phishing: we will not ask for your password or one-time codes by email, phone, or chat.
- Keep contact details current and review account activity regularly.
Incident notification
Where a security incident affects personal data, we handle assessment and notification in line with applicable law and our regulatory duties, including informing affected individuals when required.
Institutional discipline, engineered into the product.