Exclusive invite to AgentWallet Payouts.com  — early access to wallets built for AI agents Claim invite
Trust & compliance

Independently audited security & compliance

Payouts.com maintains its own SOC 2 Type II and SOC 1 Type II audits — both with clean opinions — and tokenizes sensitive card data with Very Good Security (VGS), a PCI DSS Level 1 provider. Every report below is the work of an independent auditor.

View the reports
 Back to Security overview
  • SOC 2 Type II — clean opinion
  • SOC 1 Type II — clean opinion
  • PCI DSS Level 1 card-data vault
SOC 2 Type II
Security, Availability & Confidentiality
Clean opinion
Reporting entityPayouts Technologies Ltd.
Trust criteriaSecurity · Availability · Confidentiality
Audit periodOct 2024 – Sep 2025
Independent auditorKost Forer Gabbay & Kasierer (EY)
Report issuedMarch 25, 2026
Independently audited & pen-tested View reports →
Compliance at a glance

Audited end to end, independently verified

SOC 2Type II — clean opinion
SOC 1Type II — clean opinion
Level 1PCI DSS card-data vault (VGS)
LOWpenetration-test risk rating
SOC 2 Type II SOC 1 Type II PCI DSS Level 1 OWASP-tested
Payouts.com · SOC reports

Our SOC 2 & SOC 1 audits

These are Payouts.com’s own independent audits — reporting entity Payouts Technologies Ltd. (formerly Mrkter Technologies L.B.O. Ltd.). Both received clean opinions from an independent service auditor.

SOC 2 Type II
Security, Availability & Confidentiality
Clean opinion
Reporting entityPayouts Technologies Ltd.
Audit periodOct 1, 2024 – Sep 30, 2025
Report issuedMarch 25, 2026
Independent auditorKost Forer Gabbay & Kasierer (EY Israel)
Subservice orgAmazon Web Services · carved out

Trust Services Criteria covered:

Security Availability Confidentiality

Controls in scope:

Control environment Logical & physical access Change management System operations Risk mitigation Availability Confidentiality Encryption

Includes complementary user-entity controls (CUECs) and complementary subservice-organization controls.

View document Download

Opens in a new browser tab. If your browser blocks the in-tab preview, use Download to save the file locally.

SOC 1 Type II
Internal Control over Financial Reporting (ICFR)
Clean opinion
Reporting entityMrkter Technologies L.B.O. Ltd.
Audit periodOct 1, 2023 – Sep 30, 2024
Report issuedMarch 31, 2025
Independent auditorIndependent Service Auditor
Subservice orgCarved out · infrastructure

Control objectives tested — no exceptions material to the opinion:

Backup & DRP Change management Entity-level controls Logical access Security

Reporting entity since renamed to Payouts Technologies Ltd. (Oct 16, 2025). Designed for user-entity auditors evaluating ICFR for transactions processed by Payouts.com.

View document Download

Opens in a new browser tab. If your browser blocks the in-tab preview, use Download to save the file locally.

Card-data infrastructure · VGS

Attestation of Compliance — PCI DSS v4.0.1

Separately from Payouts.com’s own SOC audits above, sensitive card data is vaulted and tokenized by Very Good Security, Inc. (VGS). The VGS platform is assessed annually against the Payment Card Industry Data Security Standard by an independent Qualified Security Assessor.

Assessment details

StandardPCI DSS v4.0.1 · Report on Compliance
Assessed entityVery Good Security, Inc.
Service typeService Provider · Level 1
Qualified Security AssessorSchellman Compliance, LLC · QSA (007-005)
Lead assessorMichael Barnes
Date assessment endedAugust 22, 2025
Date of reportSeptember 5, 2025

Scope of assessment

Services included in the assessed VGS Platform:

VGS Vault VGS API VGS Collect VGS Show VGS Obsidian HTTP Proxy SFTP Proxy ISO/TCP Proxy Mail Proxy Managed File Transfer Card Management Platform

Assessed service categories:

Hosting · Applications / software Hosting · Storage Tokenization Payment Gateway / Switch
Penetration testing · VGS

Independent penetration tests

NetWorks Group (NWG) ran full-scope and web-application penetration tests against the VGS card-data platform, simulating real-world attackers from both unauthenticated and assumed-compromise positions.

Full-scope penetration test
NetWorks Group · June 13, 2025
Low risk
Public compromise riskLow
Assumed compromise riskLow
External networkLow
Internal networkLow
Detection & responseLow
  • External systems are minimal and well-secured.
  • Internal segmentation is effective — no vault hosts reachable from the general network.
  • Internal detections and monitoring are timely and accurate.
Web application penetration test
NetWorks Group · June 13, 2025 · OWASP Top 10
Low risk
A01 · Broken access controlNone
A02 · Cryptographic failuresNone
A03 · InjectionNone
A04 · Insecure designNone
A05 · Security misconfigurationNone
A06 · Vulnerable / outdated componentsLow
A07 · Identification & auth failuresNone
A08 · Software & data integrityNone
A09 · Logging & monitoringNone
A10 · Server-side request forgeryNone

Only finding: outdated JavaScript dependencies (low severity) — testers were unable to exploit it. All injection, traversal, auth-bypass and open-redirect attempts were unsuccessful; TLS 1.2+ and a Content Security Policy are enforced.

What this means for you

How this protects your business

Independently validated

SOC 2 and SOC 1 audits, a PCI DSS Qualified Security Assessor, and external penetration testers verify these controls — results are not self-reported.

Reduced PCI scope

Raw card numbers are tokenized inside the VGS vault, so sensitive cardholder data never touches Payouts.com systems — shrinking the compliance burden on your side too.

Defense in depth

TLS 1.2+ in transit, AES-256 at rest, network segmentation, and monitored detections that respond to threats in real time.

Reports

Download the assessment reports

Payouts.com’s own SOC reports plus the independent reports for our VGS card-data infrastructure. For full customer due-diligence packages, contact our team.

Payouts.com · SOC reports

SOC 2 Type II
Security, Availability & Confidentiality
Payouts Technologies Ltd. · 2025
SOC 1 Type II
Internal Control over Financial Reporting
Mrkter Technologies L.B.O. Ltd. (now Payouts Technologies Ltd.) · 2024

Card-data infrastructure · VGS

PCI DSS v4.0.1
Attestation of Compliance (AOC)
Very Good Security · 2025
Penetration test
Full-Scope Penetration Test
NetWorks Group · 2025 · Redacted
Penetration test
Web Application Penetration Test
NetWorks Group · 2025 · OWASP

The SOC 2 Type II and SOC 1 Type II reports are Payouts.com’s own independent audits, issued to Payouts Technologies Ltd. (formerly Mrkter Technologies L.B.O. Ltd.). The PCI DSS Attestation of Compliance and penetration-test reports cover Very Good Security, Inc. (VGS) — the PCI DSS Level 1 tokenization and vault provider Payouts.com relies on for cardholder-data security. SOC reports are confidential; some uses may require an NDA — see the Security overview or contact our team.

Questions about our security posture?

Talk to our team about data isolation, controls, and the due-diligence package for your compliance review.

Talk to our team
 Security overview