PCI DSS — SAQ A attestation

Scope

Launderly is a hosted SaaS that never stores, processes, or transmits cardholder data on its own servers. All payment capture is delegated to Stripe via Stripe Elements (browser-side tokenisation) and Stripe Connect for merchant settlements.

SAQ A applicability

Card-not-present, e-commerce-style merchant model.
The full payment page / form is hosted by Stripe (a PCI DSS Level 1 service provider).
Cardholder data flows through customers' browsers directly to Stripe — not through Launderly servers.
We retain only Stripe's tokenised payment_intent_id + last-four/brand metadata.

Controls

HTTPS everywhere with HSTS preload; TLS 1.2+ enforced.
Quarterly external ASV scan by an Approved Scanning Vendor.
Annual independent penetration test.
Stripe AOC obtained annually; copy on file.

Signed SAQ A and ASV scan results available on request via your account manager.