Compliance
We protect our clients and their customers by complying with a range of security frameworks. We maintain a robust controls environment that is tested annually by third-party assessors. Clients can request our audit reports below.

SOC 3
Public report covering trust services criteria

SOC 1 Type 2
Third-party attestation report covering financial controls, provided under NDA

SOC 2 Type 2
Third-party attestation report covering trust services criteria, provided under NDA
NYS 23 NYCRR 500 (NY DFS)
New York State Department of Financial Services cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”).

Digital Operations Resilience Act (DORA)
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector
Resources
Terms of Use
BitPay's Terms of Use.
Data Privacy
BitPay's Privacy Notice and details regarding personal information we collect and how we use it.
Responsible Disclosure (Bug Bounty)
Rules of engagement for conducting security research (i.e. vulnerability discovery) activities for participating in our Bug Bounty Program.
2025 Disaster Recovery Customer Memo
Annual DR Test Results
2026 Incident Exercise Customer Memo
Annual incident response exercise results
SOC 3 Report
A SOC 3 report is a public-facing compliance document that outlines how a company secures and manages its data.
SOC 2 Type II Report
Provides management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls covering the trust services criteria.
SOC 2 Report Bridge Letter
SOC 1 Type II Report
Provides the management’s description of a service organization’s system and the suitability of the design and operating effectiveness of financial controls.
SOC 1 Report Bridge Letter
Subprocessors

Ada Support Inc
Customer Support
Amazon Web Services, Inc.
Cloud Hosting Services

Braze, Inc.
Marketing Campaigns

Center Source
CDN and Platform Security Protections

Cloudflare, Inc.
Website Hosting Provider

Framer B.V.
Website Hosting Provider

Gleam.io
Loyalty & Rewards Provider

Mixpanel, Inc.
Product Analytics

Moody's Analytics, Inc.
AML Compliance Processes
