Security at PayShepherd
At PayShepherd, we recognize that threats evolve, as does our approach to protecting your data. We understand that our customers want their contractor billing data to be protected. We provide each customer with a dedicated cloud environment. Your data is yours. We keep it that way so you can enjoy a secure, fast, and private online experience—because your trust means everything to us.
PayShepherd does more than deliver a secure application. By using our cloud platform, our customers can securely and easily collect and analyze billing data across multiple sites—reducing billing errors, saving both time and money.
Secure Foundations
We deliver PayShepherd by leveraging Amazon Web Services. By choosing AWS as our infrastructure, we can provide our customers with a secure and robust platform on which to manage their contractor billing. AWS infrastructure and platform services have been certified as ISO 27001 and SOC 2 compliant.
Data Center Security
PayShepherd relies on AWS to provide data center security. AWS provides physical access controls, round-the-clock site monitoring and operational controls, HVAC systems, and fire suppression, which are necessary to ensure its servers are protected from accidental or intentional damage or modifications. Twice yearly SOC 2 audits attest to these controls.
Communications, Network, and Data Security
Your data is always protected in transit. Each customer connects to a dedicated subdomain at PayShepherd.com using an encrypted channel using TLS v1.2 or greater using AWS ELBSecurityPolicy-TLS-1-2-2017-01 SSL policy.
Inside the PayShepherd service, your resources are isolated. Network access controls ensure that your traffic does not mix with other customer’s traffic. All internal traffic between services is encrypted. Likewise, your computer storage resources are isolated, and your data is encrypted when stored.
Application Security
PayShepherd’s application is secure by design.
Shared Model
PayShepherd follows all applicable Complementary User Entity Controls (CUECs) required by AWS in their shared responsibility model. This ensures that we align with AWS’s security best practices, properly configuring and managing our cloud environment to maintain data integrity, confidentiality, and availability. By adhering to these controls, we provide an extra layer of assurance that your data is handled securely and in compliance with industry standards.
Application Source Material
PayShepherd’s software is built using stable, industry-trusted frameworks, chosen in part for its strong security track record. These frameworks undergo continuous updates and rigorous security testing, reducing vulnerabilities and ensuring a resilient foundation for our platform. This proactive approach helps safeguard your data while maintaining high performance and reliability.
Vulnerability & Change Management
Vulnerability analysis, static application security testing (SAST), dynamic application security testing (DAST), and deliberate change management are fully integrated within PayShepherd’s continuous integration software development lifecycle.
Penetration Testing
Regular third-party penetration tests are performed to proactively identify and address potential security vulnerabilities before they can be exploited. These assessments, conducted by independent security experts, ensure our platform remains resilient against evolving threats, reinforcing our commitment to safeguarding your data and operations.
Web Server Security
Enhanced security at the web server level protects the application from threats like clickjacking, insecure content loading, and unauthorized data exposure. By leveraging features such as X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer Policy, and Permissions Policy, we ensure safer browsing, prevent attacks, and strengthen data privacy—giving you and your users peace of mind.
X-Frame-Options
By implementing X-Frame-Options: SAMEORIGIN, we prevent malicious websites from embedding our content within iframes, effectively blocking clickjacking attacks. This ensures that your interactions with our site are direct and free from hidden threats.
Strict-Transport-Security
We’ve strengthened your connection security with the Strict-Transport-Security policy. This ensures that all interactions with our website (including subdomains) are encrypted using HTTPS, protecting sensitive data from being intercepted and ensuring your information stays private.
X-Content-Type-Options
Your data is further safeguarded with the X-Content-Type-Options policy, which prevents web browsers from interpreting files as different types than declared. This helps block certain types of attacks where harmful scripts might be mistakenly run on your browser.
Referrer-Policy
Our Referrer-Policy restricts the sharing of your browsing information to the same origin only, meaning other websites won’t be able to see where you came from when clicking through links. This protects your browsing history and limits data exposure.
Permissions-Policy
To ensure your privacy, we’ve disabled unnecessary access to features like geolocation, microphone, and camera. This minimizes the risk of these being exploited by third parties. Additionally, we enable essential functions for the best possible user experience, like fullscreen mode and asynchronous data syncing, but only for secure, first-party use.
AI Security
AI Policy
PayShepherd maintains a comprehensive suite of policies including a dedicated AI Policy which provides limits to safeguard the use of AI tools and services, either by employees or if used within PayShepherd products when directed by customers. AI tools and services that surpass certain thresholds or fall within certain definitions must be approved by the CISO before use.
AI Risk Reductions
Consistent with PayShepherd’s commitment to responsible AI integration and in alignment with our risk management methodology, internal development initiatives that incorporate AI functionality are governed by a distinct risk-aware framework. This framework is adapted from the Alberta Machine Intelligence Institute (Amii).
The following criteria and controls apply to all in-house development leveraging AI.
Model Usage Boundaries
- No proprietary model training or re-training is conducted without approval from the CTO and CISO.
- AI use is limited strictly to informational insights and anomaly detection.
- No automated decision-making, mathematical computation, or content generation is performed by AI.
- The system will not engage in any discriminatory practices, as the underlying datasets contain no identifiable user group or demographic attributes.
Transparency to Users
Platform users are explicitly informed when observations or outputs are AI-assisted. Clear labelling will be applied to maintain user trust and meet ethical transparency standards.
Prompt Engineering
AI prompts are predefined and remain mostly static. Prompts are tailored and optimized per model to maximize accuracy, predictability and reduce the likelihood of jailbreaking threats.
Output Validation
- Each AI output is validated using both legitimate and intentionally malformed inputs to ensure consistent and safe behavior under all expected conditions.
- Any deviation from expected output behavior triggers a review process with results documented for future review.
Geographic Compliance Awareness
The AI infrastructure stack (e.g., Gemini, Bedrock, etc.) is selected with geographic jurisdiction in mind to align with customer-specific compliance requirements and preferences. Canada will be used as the default.
Customer-Centric Engine Selection
The choice of AI backends will reflect the customer’s risk tolerance and operational constraints. The risk tolerance will be documented and communicated to the customer.
Operations Security
PayShepherd’s service is continuously monitored to detect actual or potential control failures. PayShepherd’s controls are designed to provide defense-in-depth, ensuring that no single control failure results in a compromise.
All control failures result in a security incident, and a response is raised using PayShepherd’s security incident management procedures.
Human Resource Security
Security Policies
PayShepherd maintains a comprehensive suite of security policies that are available to all employees and contractors. Employees read and accept these policies upon hire and once annually.
Security Training & Awareness
PayShepherd provides security awareness training to each employee on hire and annually thereafter. In addition, issue-specific education material is distributed to staff through various communication channels, including in-person, email, and instant messaging.
Employee Screening
All PayShepherd employees undergo a background check during the hiring process.
Certified Cybersecurity Staff
PayShepherd hires certified experts in the Cybersecurity field, with certifications such as ISC2’s Cybersecurity Information Systems Security Professional (CISSP) and EC-Council’s Certified Ethical Hacker (C|EH) and has a designated Chief Information Security Officer (CISO).
Assurance and Compliance
Platform Assurance
PayShepherd has chosen a platform (AWS) that is certified as ISO 27001 and SOC 2 compliant.
Organizational Assurance
PayShepherd undergoes organizational level SOC2 Type II audits by independent third-party auditor(s) and is pleased to offer up our report to prospective customers once a Non-Disclosure Agreement has been signed.
At PayShepherd, we recognize that threats evolve, as does our approach to protecting your data. We understand that our customers want their contractor billing data to be protected. We provide each customer with a dedicated cloud environment. Your data is yours. We keep it that way so you can enjoy a secure, fast, and private online experience—because your trust means everything to us.
PayShepherd does more than deliver a secure application. By using our cloud platform, our customers can securely and easily collect and analyze billing data across multiple sites—reducing billing errors, saving both time and money.
Secure Foundations
We deliver PayShepherd by leveraging Amazon Web Services. By choosing AWS as our infrastructure, we can provide our customers with a secure and robust platform on which to manage their contractor billing. AWS infrastructure and platform services have been certified as ISO 27001 and SOC 2 compliant.
Data Center Security
PayShepherd relies on AWS to provide data center security. AWS provides physical access controls, round-the-clock site monitoring and operational controls, HVAC systems, and fire suppression, which are necessary to ensure its servers are protected from accidental or intentional damage or modifications. Twice yearly SOC 2 audits attest to these controls.
Communications, Network, and Data Security
Your data is always protected in transit. Each customer connects to a dedicated subdomain at PayShepherd.com using an encrypted channel using TLS v1.2 or greater using AWS ELBSecurityPolicy-TLS-1-2-2017-01 SSL policy.
Inside the PayShepherd service, your resources are isolated. Network access controls ensure that your traffic does not mix with other customer’s traffic. All internal traffic between services is encrypted. Likewise, your computer storage resources are isolated, and your data is encrypted when stored.
Application Security
PayShepherd’s application is secure by design.
Shared Model
PayShepherd follows all applicable Complementary User Entity Controls (CUECs) required by AWS in their shared responsibility model. This ensures that we align with AWS’s security best practices, properly configuring and managing our cloud environment to maintain data integrity, confidentiality, and availability. By adhering to these controls, we provide an extra layer of assurance that your data is handled securely and in compliance with industry standards.
Application Source Material
PayShepherd’s software is built using stable, industry-trusted frameworks, chosen in part for its strong security track record. These frameworks undergo continuous updates and rigorous security testing, reducing vulnerabilities and ensuring a resilient foundation for our platform. This proactive approach helps safeguard your data while maintaining high performance and reliability.
Vulnerability & Change Management
Vulnerability analysis, static application security testing (SAST), dynamic application security testing (DAST), and deliberate change management are fully integrated within PayShepherd’s continuous integration software development lifecycle.
Penetration Testing
Regular third-party penetration tests are performed to proactively identify and address potential security vulnerabilities before they can be exploited. These assessments, conducted by independent security experts, ensure our platform remains resilient against evolving threats, reinforcing our commitment to safeguarding your data and operations.
Web Server Security
Enhanced security at the web server level protects the application from threats like clickjacking, insecure content loading, and unauthorized data exposure. By leveraging features such as X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer Policy, and Permissions Policy, we ensure safer browsing, prevent attacks, and strengthen data privacy—giving you and your users peace of mind.
X-Frame-Options
By implementing X-Frame-Options: SAMEORIGIN, we prevent malicious websites from embedding our content within iframes, effectively blocking clickjacking attacks. This ensures that your interactions with our site are direct and free from hidden threats.
Strict-Transport-Security
We’ve strengthened your connection security with the Strict-Transport-Security policy. This ensures that all interactions with our website (including subdomains) are encrypted using HTTPS, protecting sensitive data from being intercepted and ensuring your information stays private.
X-Content-Type-Options
Your data is further safeguarded with the X-Content-Type-Options policy, which prevents web browsers from interpreting files as different types than declared. This helps block certain types of attacks where harmful scripts might be mistakenly run on your browser.
Referrer-Policy
Our Referrer-Policy restricts the sharing of your browsing information to the same origin only, meaning other websites won’t be able to see where you came from when clicking through links. This protects your browsing history and limits data exposure.
Permissions-Policy
To ensure your privacy, we’ve disabled unnecessary access to features like geolocation, microphone, and camera. This minimizes the risk of these being exploited by third parties. Additionally, we enable essential functions for the best possible user experience, like fullscreen mode and asynchronous data syncing, but only for secure, first-party use.
Operations Security
PayShepherd’s service is continuously monitored to detect actual or potential control failures. PayShepherd’s controls are designed to provide defense-in-depth, ensuring that no single control failure results in a compromise.
All control failures result in a security incident, and a response is raised using PayShepherd’s security incident management procedures.
Human Resource Security
Security Policies
PayShepherd maintains a comprehensive suite of security policies that are available to all employees and contractors. Employees read and accept these policies upon hire and once annually.
Security Training & Awareness
PayShepherd provides security awareness training to each employee on hire and annually thereafter. In addition, issue-specific education material is distributed to staff through various communication channels, including in-person, email, and instant messaging.
Employee Screening
All PayShepherd employees undergo a background check during the hiring process.
Certified Cybersecurity Staff
PayShepherd hires certified experts in the Cybersecurity field, with certifications such as ISC2’s Cybersecurity Information Systems Security Professional (CISSP) and EC-Council’s Certified Ethical Hacker (C|EH) and has a designated Chief Information Security Officer (CISO).
Assurance and Compliance
Platform Assurance
PayShepherd has chosen a platform (AWS) that is certified as ISO 27001 and SOC 2 compliant.
Organizational Assurance
PayShepherd undergoes organizational level SOC2 Type II audits by independent third-party auditor(s) and is pleased to offer up our report to prospective customers once a Non-Disclosure Agreement has been signed.
At PayShepherd, we recognize that threats evolve, as does our approach to protecting your data. We understand that our customers want their contractor billing data to be protected. We provide each customer with a dedicated cloud environment. Your data is yours. We keep it that way so you can enjoy a secure, fast, and private online experience—because your trust means everything to us.
PayShepherd does more than deliver a secure application. By using our cloud platform, our customers can securely and easily collect and analyze billing data across multiple sites—reducing billing errors, saving both time and money.
Secure Foundations
We deliver PayShepherd by leveraging Amazon Web Services. By choosing AWS as our infrastructure, we can provide our customers with a secure and robust platform on which to manage their contractor billing. AWS infrastructure and platform services have been certified as ISO 27001 and SOC 2 compliant.
Data Center Security
PayShepherd relies on AWS to provide data center security. AWS provides physical access controls, round-the-clock site monitoring and operational controls, HVAC systems, and fire suppression, which are necessary to ensure its servers are protected from accidental or intentional damage or modifications. Twice yearly SOC 2 audits attest to these controls.
Communications, Network, and Data Security
Your data is always protected in transit. Each customer connects to a dedicated subdomain at PayShepherd.com using an encrypted channel using TLS v1.2 or greater using AWS ELBSecurityPolicy-TLS-1-2-2017-01 SSL policy.
Inside the PayShepherd service, your resources are isolated. Network access controls ensure that your traffic does not mix with other customer’s traffic. All internal traffic between services is encrypted. Likewise, your computer storage resources are isolated, and your data is encrypted when stored.
Application Security
PayShepherd’s application is secure by design.
Shared Model
PayShepherd follows all applicable Complementary User Entity Controls (CUECs) required by AWS in their shared responsibility model. This ensures that we align with AWS’s security best practices, properly configuring and managing our cloud environment to maintain data integrity, confidentiality, and availability. By adhering to these controls, we provide an extra layer of assurance that your data is handled securely and in compliance with industry standards.
Application Source Material
PayShepherd’s software is built using stable, industry-trusted frameworks, chosen in part for its strong security track record. These frameworks undergo continuous updates and rigorous security testing, reducing vulnerabilities and ensuring a resilient foundation for our platform. This proactive approach helps safeguard your data while maintaining high performance and reliability.
Vulnerability & Change Management
Vulnerability analysis, static application security testing (SAST), dynamic application security testing (DAST), and deliberate change management are fully integrated within PayShepherd’s continuous integration software development lifecycle.
Penetration Testing
Regular third-party penetration tests are performed to proactively identify and address potential security vulnerabilities before they can be exploited. These assessments, conducted by independent security experts, ensure our platform remains resilient against evolving threats, reinforcing our commitment to safeguarding your data and operations.
Web Server Security
Enhanced security at the web server level protects the application from threats like clickjacking, insecure content loading, and unauthorized data exposure. By leveraging features such as X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer Policy, and Permissions Policy, we ensure safer browsing, prevent attacks, and strengthen data privacy—giving you and your users peace of mind.
X-Frame-Options
By implementing X-Frame-Options: SAMEORIGIN, we prevent malicious websites from embedding our content within iframes, effectively blocking clickjacking attacks. This ensures that your interactions with our site are direct and free from hidden threats.
Strict-Transport-Security
We’ve strengthened your connection security with the Strict-Transport-Security policy. This ensures that all interactions with our website (including subdomains) are encrypted using HTTPS, protecting sensitive data from being intercepted and ensuring your information stays private.
X-Content-Type-Options
Your data is further safeguarded with the X-Content-Type-Options policy, which prevents web browsers from interpreting files as different types than declared. This helps block certain types of attacks where harmful scripts might be mistakenly run on your browser.
Referrer-Policy
Our Referrer-Policy restricts the sharing of your browsing information to the same origin only, meaning other websites won’t be able to see where you came from when clicking through links. This protects your browsing history and limits data exposure.
Permissions-Policy
To ensure your privacy, we’ve disabled unnecessary access to features like geolocation, microphone, and camera. This minimizes the risk of these being exploited by third parties. Additionally, we enable essential functions for the best possible user experience, like fullscreen mode and asynchronous data syncing, but only for secure, first-party use.
Operations Security
PayShepherd’s service is continuously monitored to detect actual or potential control failures. PayShepherd’s controls are designed to provide defense-in-depth, ensuring that no single control failure results in a compromise.
All control failures result in a security incident, and a response is raised using PayShepherd’s security incident management procedures.
Human Resource Security
Security Policies
PayShepherd maintains a comprehensive suite of security policies that are available to all employees and contractors. Employees read and accept these policies upon hire and once annually.
Security Training & Awareness
PayShepherd provides security awareness training to each employee on hire and annually thereafter. In addition, issue-specific education material is distributed to staff through various communication channels, including in-person, email, and instant messaging.
Employee Screening
All PayShepherd employees undergo a background check during the hiring process.
Certified Cybersecurity Staff
PayShepherd hires certified experts in the Cybersecurity field, with certifications such as ISC2’s Cybersecurity Information Systems Security Professional (CISSP) and EC-Council’s Certified Ethical Hacker (C|EH) and has a designated Chief Information Security Officer (CISO).
Assurance and Compliance
Platform Assurance
PayShepherd has chosen a platform (AWS) that is certified as ISO 27001 and SOC 2 compliant.
Organizational Assurance
PayShepherd undergoes organizational level SOC2 Type II audits by independent third-party auditor(s) and is pleased to offer up our report to prospective customers once a Non-Disclosure Agreement has been signed.