$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

Who operates PayHQ

PayHQ is operated by FIT PUP LTD, a company registered in England & Wales (company no. 15766852, VAT GB469891911), registered with the ICO under ZC064795. We are a small team building toward a first pilot.

Governance, stated plainly

At our current size we do not run a 24×7 security operations centre; incident response runs through the engineering on-call rota. We have not yet appointed a formal Data Protection Officer — data-protection responsibility sits with the founding team and is reachable at [email protected]. We will appoint a DPO before we onboard production customers at scale.

Find your lane

Evaluating PayHQ for procurement

You want the short posture summary and the honest gaps.

Security Status

Filling in a vendor security questionnaire

You want our controls, mappings, and a downloadable self-assessment.

CAIQ self-assessment

Drafting or reviewing a DPA

You want our processor terms, sub-processors, and transfer position.

Data Processing Agreement

Auditing our supply chain

You want every third party that can touch data, and where it sits.

Sub-processors

Reporting a vulnerability

You want our disclosure policy, scope, and safe-harbour position.

Disclosure policy

Compliance posture at a glance

We use the exact word for each state. “Readiness” is not “certified”; “working toward” is not “compliant”. The Security Status page carries the control-by-control detail, and the Security Roadmap is the single register of what is not done.

FrameworkPositionStateNote
UK GDPR & DPA 2018Working towardPartialRegistered with the ICO (ZC064795). Processor by default on the main data path; DPA, Privacy Notice, and records of processing are being formalised.
EU GDPRIn scope for EU customersPartialApplies extraterritorially (Art. 3(2)) for EU customers such as the Swedish pilot; intended to be addressed via EU SCCs and the UK IDTA/Addendum. The EU controller → UK processor → US sub-processor transfer chain is still being confirmed with counsel before signing (see the DPA).
ISO/IEC 27001:2022Readiness, not certifiedPlannedReadiness work underway (gap assessment against the standard); not a completed or audited programme. Physical controls inherited from Hetzner. Not currently certified.
CSA CAIQ v4Self-assessmentPartialPublished per-domain self-assessment with a downloadable copy — not an audit.
SOC 2Not auditedPlannedGated on first US enterprise demand.
NIS2Not directly in scopeNot applicableWe are a UK entity and not an in-scope operator. These artefacts help EU customers discharge their own Art. 21(2)(d) supply-chain diligence about us.
PCI DSSNot applicableNot applicableWe process bank-account identifiers, never cardholder data.
PSD2 / FCA authorisationOut of scopeNot applicableNot a payment service provider; we never initiate, hold, or move funds.

Working with us

  • We will complete your security questionnaire — or point you at our CAIQ self-assessment if that is faster.
  • We sign a Data Processing Agreement; the template is published in full.
  • Everything here is public and un-gated, so your security, legal, and procurement teams work from the same source. Our working risk register (the public risk IDs map to it) and other internal detail are shared under NDA, and our formal ISMS documents — including the Statement of Applicability, still in progress — are shared as they mature.

Security: [email protected] · Privacy: [email protected] · General: [email protected]

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]