Encryption in transit
All traffic to BuffMoney APIs and dashboards is served over TLS 1.2+ (HTTPS only). Plain-HTTP requests are redirected or rejected.
BuffMoney moves real money across borders, so the platform is built to account for every request and every dollar. Here are the controls in plain terms — no certifications we don't hold, no claims we can't back.
All traffic to BuffMoney APIs and dashboards is served over TLS 1.2+ (HTTPS only). Plain-HTTP requests are redirected or rejected.
Personally identifiable information and payment metadata are encrypted at rest. We never receive or store consumer card numbers — collection runs through WeChat Pay / Alipay channels.
Every API call is authenticated with a scoped bearer key. Sandbox and live keys are separated at the key layer; keys are shown once and can be rotated or revoked from the dashboard.
Outbound webhooks are HMAC-signed so you can verify authenticity and reject forgeries. Idempotency keys make retries safe — no duplicate side effects.
API key scopes (usage:write, invoice:read, checkout:write) grant only what's needed. Sensitive operations and settlement approvals are recorded in an append-only audit log.
Found something? Email security@buffmoney.com. We acknowledge reports and work with researchers in good faith. Please don't disclose publicly before we've responded.
The boring details that matter when you're trusting us with revenue.
Responsible disclosure is welcome and acknowledged.