Security

2ndPay uses a pilot safety posture designed around protected sessions and no automatic money movement.

Transport and sessions

2ndPay is designed to run over HTTPS in production and uses session cookies to protect logged-in employer, employee, and admin areas. Users should log out on shared devices and protect access to their email, browser, device, and wallet applications.

Secrets and API keys

Production secrets and provider credentials are designed to be configured through environment variables. Public pages should not expose API keys, wallet seeds, SMTP passwords, database URLs, or provider secrets.

PWA caching

The 2ndPay PWA service worker is designed to cache only safe static assets. Authenticated payroll, employee, employer, wallet, payout, settlement, admin, API, and Xaman responses are online-first and excluded from static caching.

Pilot and demo safety

The current pilot posture emphasizes no automatic money movement, no custody of funds, employer approval for settlement requests, and clear demo-mode warnings where applicable. Security controls may evolve before commercial rollout.

User responsibilities

Users are responsible for strong passwords, secure devices, accurate wallet destinations, trusted administrators, and prompt reporting of suspected unauthorized access. Wallet owners are responsible for reviewing any transaction before signing.