Failment

Security & Compliance

Last updated: 07.09.2025

At Failment, security is at the core of everything we do. We are committed to protecting your data, minimizing vulnerabilities, and ensuring uninterrupted access to our platform.

Adding Failment to your financial stack does not introduce additional exposure to sensitive payment method data. We never store or process card details directly—this is handled entirely by PCI DSS Level 1 certified providers like Stripe.

Our Core Commitments

Secure Traffic

All application, database, webhook, and API traffic is encrypted via TLS/HTTPS.

Encrypted Storage

All data is encrypted at the disk level in AWS RDS, with additional encryption applied to sensitive fields.

Minimal Data

We process and store only mission-critical data, and all data is deleted immediately upon service cancellation.

Penetration Testing

Regular penetration testing is conducted internally by our engineering team, with vulnerabilities tracked and resolved on priority.

Account Access

Only authorized Engineering and Success team members have access to account data.

Payment Processor Access

All Failment payments are processed by Stripe, a PCI DSS Level 1 certified provider. We use your restricted API key, which we securely encrypt and store in our AWS RDS database.

This key provides access only to the minimum data required for monitoring failed payments and recovery workflows. It cannot be used to charge customers, issue refunds, or perform sensitive operations.

Primary Data: Charges/Transactions

  • All charges from your Stripe account (up to 5,000 with safety cap)
  • Payment status: succeeded, failed, pending
  • Currency information
  • Failure reasons and error codes
  • Customer email addresses
  • Timestamps (created, updated)
  • Payment intent IDs and Invoice IDs

Additional Read Access

  • Customer data (read-only)
  • Subscription information (read-only)
  • Checkout session details (read-only)

Webhook Management

Limited write access for notifications only (to deliver failure alerts).

This strict permission model ensures Failment can only access the data required to detect failures and notify you, while leaving full financial and operational control in your hands.

PCI DSS Compliance

All payment transactions are handled exclusively by Stripe, which is PCI DSS Level 1 compliant—the highest standard available. Failment does not handle, transmit, or store cardholder data.

Application Security

Two-Factor Authentication (2FA)

In addition to passwords, Failment supports 2FA for user accounts, significantly reducing the risk of unauthorized access.

Email Security

Failment enforces DMARC and DKIM for all outbound emails, protecting users from phishing and spoofing attempts.

Data Security & Privacy

Data Encryption

All data stored on AWS RDS is encrypted at rest using AES-256, and all traffic is secured with TLS/HTTPS. Backups are also encrypted, ensuring continuity without compromising privacy.

Data Retention

Failment retains payment event data for 450 days to provide accurate reporting and historical analysis.

Data Removal

When service is cancelled, all customer data is deleted immediately from Failment systems, with no waiting period.

PII Scrubbing

Failment stores only the minimum personally identifiable information required to operate:

  • First and last name
  • Company name
  • Email address

No customer IDs or metadata are collected or stored.

Infrastructure & Network Security

Failment is hosted on AWS Amplify, with all data stored and processed in AWS RDS.

AWS data centers employ state-of-the-art physical and logical security controls, including surveillance, biometric access, redundant power, and compliance with global standards.

Failment engineers do not have physical access to AWS infrastructure. Access to AWS accounts is limited to authorized personnel and protected by strong authentication controls.

Business Continuity & Disaster Recovery

High Availability

Failment services are deployed on redundant, properly provisioned infrastructure to maintain uptime during unexpected failures.

Backups & Disaster Recovery

Encrypted backups are maintained, and in the event of a major outage, systems can be restored or redeployed in a separate AWS region to ensure business continuity.

Corporate Security

All product changes must pass through code review, CI/CD pipelines, and security validation before reaching production.

Compliance

GDPR

Failment provides a Data Processing Addendum (DPA) incorporating Standard Contractual Clauses, ensuring compliance with GDPR requirements.

CCPA

Failment acts solely as a service provider under the CCPA. We do not sell, retain, or disclose personal data for any purpose other than delivering our service.

Vulnerability Disclosure

We encourage responsible disclosure of vulnerabilities. Please contact us at support@failment.com with any findings.

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into by and between Trick Consulting LLC (trading as "Failment") ("Processor") and you, the Customer ("Controller"). It forms part of the Failment Terms of Service and governs the processing of personal data on your behalf.

By using the Services, you agree that this DPA applies automatically. If you require a countersigned version for compliance purposes, you may request one at security@failment.com.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Failment on your behalf.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transfer, or deletion.
  • "Controller" means you, the Customer, who determines the purposes and means of processing Personal Data.
  • "Processor" means Failment, who processes Personal Data on your behalf.
  • "Sub-Processor" means any third party engaged by Failment to process Personal Data.

2. Scope of Processing

Failment will process Personal Data solely for the purposes of:

  • Providing and improving its subscription payment recovery services
  • Sending communications related to failed or pending transactions
  • Providing analytics and reporting
  • Complying with legal obligations

Failment will not process Personal Data for any other purpose without your instructions.

3. Categories of Personal Data

Depending on your integration, Failment may process the following categories of data from your payment processor (Stripe):

Primary Data:

  • Charges/Transactions (up to 5,000 with safety cap)
  • Payment status (succeeded, failed, pending)
  • Payment amounts and currency information
  • Failure reasons and error codes
  • Customer email addresses
  • Timestamps (created, updated)
  • Payment intent IDs and Invoice IDs

Additional Read Access:

  • Customer data (read-only)
  • Subscription information (read-only)
  • Checkout session details (read-only)
  • Webhook management (write access for notifications)

4. Data Subject Rights

Failment will assist you in fulfilling requests by data subjects to exercise their rights under applicable data protection laws (e.g., GDPR, CCPA), including:

  • Access, correction, and deletion requests
  • Data portability
  • Restriction of processing
  • Objection to processing

5. Data Security

Failment implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest (AES-256)
  • Hosting and processing exclusively on AWS Amplify and AWS RDS
  • Access limited to authorized personnel
  • Regular internal penetration testing

6. Sub-Processors

Failment uses trusted third-party providers as Sub-Processors, including:

  • Amazon Web Services (AWS) for hosting and database infrastructure
  • Stripe, Inc. for payment processing

Failment ensures all Sub-Processors are bound by data protection obligations consistent with this DPA. A current list is available on request.

7. Data Transfers

If Personal Data is transferred outside the European Economic Area (EEA), Failment ensures appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions).

8. Data Retention & Deletion

  • Personal Data is retained for 450 days for operational and reporting purposes
  • Upon account termination or request, all Personal Data is deleted immediately and irreversibly from Failment systems

9. Confidentiality

Failment ensures that anyone authorized to process Personal Data is subject to confidentiality obligations.

10. Compliance & Audits

  • Failment maintains documentation of processing activities as required by law
  • Upon reasonable request, Failment will provide information necessary to demonstrate compliance with this DPA

11. PCI DSS

All Failment payments are processed by Stripe, which is PCI Service Provider Level 1 certified. Failment itself does not store or process payment card information.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

13. Term & Termination

This DPA remains in effect for as long as Failment processes Personal Data on your behalf. Termination of the Terms of Service automatically terminates this DPA.

14. Acceptance of DPA

This DPA forms part of the Failment Terms of Service and is binding without signature.

If you require a signed copy for compliance purposes, please contact security@failment.com.

Contact Us

For security-related inquiries, compliance questions, or to request a signed DPA, please contact us:

Trick Consulting LLC (trading as Failment)

General Support: support@failment.com