CASE FILE / packetly.live / EST. 2026
P Packetly
Start free →
Trust dossier · revision 2026.04

Your data, on file.
Locked.

Packetly handles dispute evidence — sometimes sensitive. Here's exactly what we collect, what we don't, and how we keep it safe. No legalese, no marketing fluff.

restricted
Exhibit A · Stripe access
§1.07

Restricted keys only. Always.

You connect Packetly with a Stripe restricted key (rk_…) — the same kind Stripe recommends for third-party tools. We never request, accept, or store your secret key (sk_…). The restricted key is scoped to the resources we actually need (disputes, charges, customers) — read-only on charges, write only on dispute submission.

  • No secret key access — ever
  • Read-only on charges and customers
  • Write scope limited to /disputes/:id/submit
  • You can revoke the key from your Stripe dashboard in one click
encrypted
Exhibit B · Encryption
§2.14

Encrypted in transit. Encrypted at rest.

All traffic is HTTPS-only with HSTS enabled. Stored data — uploads, generated PDFs, and database rows — is encrypted at rest with AES-256 on the host volume. Stripe API keys are stored encrypted with a separate envelope key.

  • TLS 1.2+ enforced · HSTS preload-ready
  • AES-256 at rest on persistent volumes
  • API keys envelope-encrypted (separate key material)
  • Daily encrypted backups · 30-day retention
not on file
Exhibit C · What we never store
§3.21

The things you will never find on our servers.

The simplest data security is the data you do not collect. Packetly is deliberately narrow about what it touches.

  • Full card numbers (PAN) — never. Only Stripe-tokenized last-4 if shown
  • CVV / CVC codes — never
  • Bank account or routing numbers — never
  • Customer government IDs — only if you upload them as evidence; deletable on demand
authenticated
Exhibit D · Access controls
§4.28

Authentication that does not embarrass us.

Auth is enforced server-side with HttpOnly + Secure + SameSite=Lax cookies and signed JWTs. Sessions expire on a 30-day rolling window. Passwords are hashed with bcrypt at cost factor 12. SSO and audit logs are on the roadmap for team plans.

  • bcrypt (cost 12) password hashing — never plaintext
  • HttpOnly + Secure + SameSite=Lax session cookies
  • JWT-signed sessions · 30-day rolling expiry
  • Email-based password reset · enumeration-safe (no leak of which emails exist)
in progress
Exhibit E · Compliance posture
§5.35

Where we stand today, and where we are headed.

Packetly is GDPR-aware (data export and deletion endpoints on request), CCPA-aligned, and built so that PCI scope is minimized — we never enter the cardholder-data environment. SOC 2 Type I is on the roadmap once we cross the team-plan threshold.

  • GDPR · right to access + erasure honored within 30 days
  • CCPA · do-not-sell honored by default (we never sell data)
  • PCI · scope minimized via Stripe tokenization
  • SOC 2 Type I · planned 2026 H2
on call
Exhibit F · Incident response
§6.42

If something goes wrong, you hear about it.

We monitor for anomalies on auth, storage, and outbound API patterns. If we detect or suspect a breach affecting your data, we notify you within 72 hours with what we know, what we are doing, and what action — if any — you need to take.

  • 24/7 anomaly monitoring on auth + storage
  • 72-hour breach notification commitment
  • Quarterly disaster-recovery drills
  • Public status page · status.packetly.co (planned)
Need more?

Security questionnaire? DPA?

We're happy to fill out vendor security questionnaires and sign a Data Processing Agreement. Email security@packetly.co and we'll turn it around within two business days.

Email security@ See our casebook