We built Modari applying privacy and security by design from day one. Below we describe the technical and organizational controls protecting your information, payments, and the operation of the service.
TLS 1.2+
Encryption in transit
AES-256
Encryption at rest
bcrypt
Password hashing
TOTP
MFA — RFC 6238
Modari inherits and aligns with internationally recognized frameworks for information security management, data protection, and payment processing. Some certifications are inherited through our subprocessors; others represent the framework under which we operate our internal controls. The current status of each:
All credit card capture and processing occurs inside Stripe, certified PCI DSS Level 1 — the highest level of the standard. Modari never receives or stores PAN data; we only retain a referenced token and the last 4 digits for display.
Our controls for security, availability, processing integrity, confidentiality, and privacy are designed in line with the Trust Services Criteria published by AICPA. We are prepared to undergo a SOC 2 Type II audit when contractually required.
We apply the relevant Annex A domains: access control (A.9), cryptography (A.10), operations security (A.12), incident management (A.16), and compliance (A.18). The framework guides our internal information security policy.
We comply with Regulation (EU) 2016/679: documented legal bases, record of processing activities, data subject rights, breach notification within 72 hours, international transfers via Standard Contractual Clauses, and a Data Processing Agreement (DPA) available upon request.
We apply the United Kingdom regime in accordance with Information Commissioner's Office (ICO) guidance, with treatment equivalent to GDPR for data subjects resident in the UK.
We comply with Law 1581 of 2012 and Decree 1377 of 2013. We handle requests, queries, and complaints within statutory timelines (15 business days for queries, 15 business days for complaints) through our PQRs channel.
We honor rights granted by the California Consumer Privacy Act and its CPRA amendment: right to know, delete, correct, opt-out of sharing, and not be discriminated against. We automatically respect the Global Privacy Control (GPC) browser signal.
We apply the Lei Geral de Proteção de Dados with documented legal bases, data subject rights, and Chapter V mechanisms for international transfers to jurisdictions without adequate level.
Our development lifecycle is guided by the OWASP ASVS and OWASP Top 10 recommendations: input validation at boundaries, output encoding, secure session management, approved cryptography, and least privilege.
We aspire to Web Content Accessibility Guidelines 2.1 Level AA. We audit contrast, keyboard navigation, semantic markup, and screen reader compatibility on every release.
All communication with Modari happens over encrypted channels, and data at rest is stored with strong symmetric encryption managed at the platform level.
Passwords are never stored in plain text. We apply defense in depth to prevent unauthorized access.
Modari operates on dedicated, isolated infrastructure per organization. We minimize the attack surface exposed to the internet and separate tenant data at the database layer.
Each organization operates inside its own logical space. Database queries automatically validate that the requested information belongs to the authenticated tenant.
We maintain encrypted database snapshots to ensure recovery from operational incidents or unrecoverable user errors.
Modari never receives or stores your full card number. All capture, storage, and processing of payment instruments occurs inside Stripe.
We comply with the obligation to notify security incidents affecting personal data within the timelines required by applicable law.
Regardless of your jurisdiction, we guarantee the rights described in our Privacy Policy. You may exercise them through our PQRs channel or by emailing [email protected].
We support multi-factor authentication via the open TOTP standard (Time-based One-Time Password, RFC 6238), compatible with any authenticator application.
If you believe you have identified a vulnerability in Modari, please do not disclose it publicly and report it to us in writing. We investigate every report received and respond to the researcher as quickly as possible. We do not pursue legal action against researchers acting in good faith through this channel and respecting confidentiality during the process.
Email [email protected]Last updated: 2026-04-26
