Frequently asked questions

How do I know my money is safe?

We are authorised by the Financial Conduct Authority to provide payment services as an Authorised Payment Institution. We serve more businesses than any other Direct Debit provider.

All money collected is held in a secure client monies account with either the Royal Bank of Scotland, Barclays Bank, SEB, NAB or ASB.

How does GoCardless protect my data?

At GoCardless we know security is important, especially when it comes to payments. Our merchants rely on us to invest in security and maintain robust data protection for them and their customers.

• Our access to the Direct Debit system is provided by major banks, who have approved our systems.
• Our global data risk management programme is built to GDPR standards and applies privacy best practices to help protect and respect personal data. Read more here.
• Our financial data server is separated from our application server by multiple firewalls.
• All client-server communication is 256-bit SSL encrypted. The banking system requires just 128-bit.
• We have received ISO 27001 certification for information security.

What is ISO 27001 certification?

GoCardless has been awarded ISO 27001 certification. ISO 27001 is a widely recognised, internationally accepted standard for information security and we have attained it across all GoCardless services and products.

An accredited independent auditor has assessed our processes and controls, and confirmed they align with the certification standard. Certification Europe, an ISO accredited certification body, has certified our compliance with the ISO standard.

Having ISO 27001 certification helps assure our merchants and their customers that we take information security management seriously. GoCardless will ensure that an independent auditor will reassess our Information Security Management System on an annual basis.

What do you do with my money before it is paid out?

All money collected is held in a secure client monies account held with one of our partner banks. Funds are held fully in accordance with safeguarding provisions.

Is it safe for my customers?

Yes. Your customers are fully protected by the Direct Debit Guarantee. This entitles them to a full and immediate refund of any payments taken from their account in error.

Vulnerability Disclosure

We care deeply about keeping our users safe. If you believe you have discovered a vulnerability, we ask that you disclose it in a responsible manner. Sharing vulnerabilities publicly puts our entire user base at risk, so we urge you to keep issues private until we’ve had a chance to release a fix.

If you are interested in testing our service for vulnerabilities then we would appreciate any reports regarding our dashboard and API.

Please conduct testing on our sandbox environment only. You can sign up for a sandbox account to get started.

In recognition of your efforts, and as thanks for working with us to keep GoCardless safe, we offer financial rewards for responsible vulnerability disclosures. Rewards are issued at our discretion, determined by the severity of the issue.

Reporting issues

• Email us at security@gocardless.com as soon as you become aware of the issue. Our GPG key id is 684ED3A3, and its fingerprint is 8A4C 2665 6632 8EC4 1C83 6BB4 D9E1 ADB2 684E D3A3
• Include as much detail as possible, including steps for reproducing the issue
• Do not exploit the vulnerability, except to demonstrate the issue to GoCardless staff
• Please do not disclose the issue to anyone else before we’ve rolled out a fix

Reward eligibility

We appreciate the effort security researchers go to in order to keep the web safe, and we’re keen to reward them for their work. However, we will not reward malicious behavior, or actions that deliberately cause a disruption to our service. Reward eligibility is decided on a case-by-case basis, but we will never provide rewards for:

• Denial of service attacks
• Using automated tools such as scanners and fuzzers as they can negatively impact our service, and create large amounts of noise that costs us time to clear up
• Social engineering attacks
• Physical attacks or threats against our staff or users