PPrimalti
Security

The honest picture, today.

We're a new company handling merchant and buyer data on behalf of stores selling cross-border. Here's what we do, what we don't, and what's on the roadmap — without the fluff.

Company information
Legal entity
Primalti LLC
Limited liability company, State of Delaware, USA
Owner: Reid Chris Eugene
Mailing address
506 S San Julian St, Apt 207
Los Angeles, CA 90013 · United States
General contact
hello@primalti.com

What we do today

  • TLS everywhere. All traffic between your store and our app is encrypted in transit over TLS 1.2+.
  • Encryption at rest. Databases and object storage are encrypted at rest using managed keys (AES-256) on our cloud provider.
  • Least privilege. Internal access to production data is role-scoped, 2FA-required, and logged. No shared admin credentials.
  • Isolated environments. Production, staging, and development are fully segregated. Merchant data doesn't leave production.
  • Scoped store permissions. The Shopify app and WooCommerce plugin request only the scopes strictly needed to read your catalog and orders, run the cross-border checkout, and reconcile payouts. Card data never touches your store; tokenization happens at the checkout layer.

Compliance posture

  • Merchant onboarding (KYB). Every brand that connects to Primalti goes through identity and beneficial-owner verification before activation — company registration, UBO ID, bank ownership and sanctions screening. No order flows through Primalti from a brand that hasn't cleared onboarding.
  • Sanctions & AML screening. Buyers, billing addresses and counterparties are screened against the standard sanctions lists (OFAC, EU, UK, UN) on every order. Flagged orders are blocked at authorization, not after capture.
  • Tax registration & remittance. VAT and sales-tax registration, calculation, filing and remittance run through established external tax compliance partners — not an in-house build — in every jurisdiction we cover. Primalti is the registered taxpayer.
  • Card data & PCI. Card data is tokenized at our payments layer and never crosses our application servers or the connected store's. Primalti operates under PCI DSS SAQ-A.
  • Chargeback & dispute handling. Dispute evidence is assembled and submitted by Primalti, not by the connected brand. We track win rate by market and feed it back into our fraud rules.

What's in progress

  • SOC 2 Type II — audit scoped, fieldwork underway.
  • Public status page and uptime history.
  • A dedicated trust center covering DPA, subprocessors, and retention schedules.

Reporting a vulnerability

If you think you've found a security issue, we want to know. Email security@primalti.com with reproduction steps and we'll respond within one business day. We don't run a bug bounty yet, but we credit responsible disclosures publicly once fixed.