01Card data & PCI
Subflow never stores cardholder data. Our two pillars — gateway aggregation and a CRM-native subscription engine — sit beside the card vault, never on top of it. When a customer pays, card details are captured by the gateway (Payfast, Yoco or Paystack ZA) and tokenised on their PCI-DSS-certified infrastructure. Subflow only ever holds the resulting gateway token, never a PAN, CVV or expiry.
This "passthrough" model means your PCI scope stays minimal: Subflow is a SAQ-A-eligible integration because no cardholder data touches our servers, logs or backups. We orchestrate charges, subscriptions and dunning against gateway tokens — nothing more sensitive than that ever lands in our database.
What Subflow stores
Customer name and email, subscription and plan state, charge amounts and statuses, gateway tokens, and webhook/audit logs. Not stored: card numbers, CVV, expiry, or full bank account numbers.
02Data protection (POPIA)
Subflow (Pty) Ltd is a South African company and processes personal information in line with the Protection of Personal Information Act, 2013 (POPIA). Where a merchant or end-customer falls under the GDPR, we cross-reference those obligations and honour the stricter standard.
- Lawful basis & minimisation. We collect only what is required to operate payments and subscriptions on a merchant's behalf, and process it for that purpose only.
- Roles. For a merchant's own account data, Subflow is the responsible party. For end-customer data flowing through a merchant's funnel, the merchant is the responsible party and Subflow is the operator (processor) acting on documented instructions.
- Data-subject rights. Requests for access, correction or deletion are routed to our Information Officer at [email protected] and actioned within the POPIA-prescribed timeframes.
- Retention. Operational records are retained while an account is active and for the period required by South African financial-record law thereafter, then deleted or de-identified.
03Infrastructure
Subflow is deployed on Cloudflare's European edge. Traffic is served over TLS 1.2+ end to end; data is encrypted in transit and at rest. We run an immutable, infrastructure-as-code deployment pipeline — every change is version-controlled, reviewed and reproducible.
- In transit
- TLS 1.2+ everywhere; HSTS enabled on all production hosts.
- At rest
- AES-256 for the primary datastore and backups.
- Webhooks
- Signed with HMAC-SHA256 and a 5-minute replay window so receivers can verify authenticity.
- Backups
- Encrypted, point-in-time recovery.
04Access & keys
API keys are environment-scoped: sk_test_… for sandbox and sk_live_… for production. Keys can be rotated at any time from your dashboard; rotation revokes the prior
key immediately. Internal access to production follows least-privilege and is logged. POST
endpoints accept an Idempotency-Key header so retries never double-charge.
05Sub-processors
We share the minimum personal information necessary with a small set of vetted sub-processors to deliver the service. This list is kept current; material changes are announced before they take effect.
| Sub-processor | Purpose | Data | Region |
|---|---|---|---|
| Cloudflare | Hosting, edge compute, CDN, WAF | All service traffic (encrypted) | EU |
| Payfast | Payment processing & card vault | Cardholder & transaction data | ZA |
| Yoco | Payment processing & card vault | Cardholder & transaction data | ZA |
| Paystack ZA | Payment processing & card vault | Cardholder & transaction data | ZA |
| Sentry | Error & performance monitoring | Diagnostic metadata (no PII) | EU |
06AI-agent policy
Subflow welcomes AI agents acting on behalf of merchants. If you are building or operating an autonomous agent that integrates Subflow, these are the rules of engagement.
- Agent-attributed API keys. Obtain a dedicated agent key rather than reusing a human operator's. Every key carries an agent identity so actions are attributable.
- Rate limits. Agent keys start at a lower rate limit than human-operated keys and earn higher limits as the agent builds a clean reputation.
- Audit-trail attribution. The agent ID surfaces in every action it takes — in webhooks, in the dashboard activity log, and in exported records — so a human can always see what was done by which agent.
- Human-in-the-loop for production charges. Moving real money requires a human-authorised step. Agents may prepare, simulate and stage charges freely in test mode, but a documented human approval is required before a live charge is captured. Liability for agent-initiated actions sits with the account holder that provisioned the agent.
Machine-readable entry point: llms.txt (content map). Crawlers including GPTBot, ClaudeBot, PerplexityBot and Google-Extended are explicitly permitted.
07Responsible disclosure
If you believe you've found a vulnerability, tell us before you tell anyone else and we'll work with you. Email [email protected] with steps to reproduce. We acknowledge reports within 24 hours, always, and will keep you updated through to a fix. Please don't access or modify data that isn't yours, degrade the service, or run automated scans that affect other merchants while testing. We don't pursue legal action against researchers who act in good faith under this policy.
08Contact
Security questions, due-diligence questionnaires and disclosure reports: [email protected]. POPIA and data-subject requests: [email protected].