SurePay & Security

Security and privacy have always been paramount at SurePay. Thus, SurePay is proud to be both GDPR and ISO 27001 compliant. We are regularly audited by authorised third parties whom are able to perform an ISAE 3402 type II audit against all 114 information security controls outlined in Annex A of ISO 27001.

Go to certifications


Key information on Security, Compliance, Privacy

Security Standard:

The security of data and the availability of SurePay services is always our top priority. This is why we are ISO 27001:2013 compliant. In addition a ISAE 3402 type II audit is executed at SUREPAY B.V. each year with regard to an Information Security Management System in accordance with the ISO/IEC 27001:2013 framework.

A successful audit has shown that we comply with all points of the information security requirements standard.

General Data Protection Regulation (GDPR):

SurePay takes utmost care to adhere to the GDPR (EU) and AVG (NL) principles. As a company which handles your data on a daily basis, the safety of your data and protection of your rights is one of SurePay’s top priorities. Therefore, SurePay commits itself and its affiliates to all applicable data protection.

The exercise of your rights is safeguarded by internal policies, and for information on which data we process and why, please check our Privacy Statement on this website.


Compliance & Security

What kind of data do you process?

In line with GDPR, SurePay processes personal data because this is necessary to perform the obligation that exists between you or us and a bank or organisation through an agreement. The data we process is called personal data. This entails data which is related directly or indirectly to your person. Examples of this are your name or IBAN (your account number). Data such as name records of a proprietorship, VOF (LLP or Limited Liability Partnership) or other partnerships is considered personal data.

How do you obtain my data?

We receive your data from banks and other companies (also considered as Data Providers) to perform the IBAN-Name Check, Switch Check or PayID service. This happens either every 24 to 48 hours or through a direct link with the database of the Data Provider. These Data Providers share your data with us based on the agreements that you made with them. If you want to know who your Data Provider is, you can always check with your bank. In most cases they are the Data Provider.

Do you process my data outside the EEA/UK?

No, SurePay does not process data outside of the EEA/UK. Our data processing centres located are in Dublin (IR) and Frankfurt (GE).

What if I want you to stop using my data?

SurePay has several reasons for processing your data, however, it is always possible to contact us in case of questions. We are happy to help and inform you on data processing. When necessary, we might refer you to your Data Provider so you can better control what data flows to SurePay.

How do you keep my data safe?

Any data processed in the solution is encrypted, adheres to the OWASP Application Security Verification Standard and can only be accessed by the name matching functionality itself. Throughout the design of the SurePay solution, the main principle has been “Security by Design".

Besides that, we do thorough third-party assessments with all our suppliers and partners ensuring a high level of security in the first instance.

I would like information on a specific transaction or Account Number

You can always contact us at [email protected] with questions regarding the exercise of your rights as a Data Subject. SurePay aims to help you with any requests for information, rectification or other requests regarding your data. In some cases, we might ask you to contact your Data Provider based on your request. For more information you can always check our Privacy Statement.

How will Brexit affect the provision of your Service in the UK?

In our article on Brexit, at ‘’Brexit, a new year but not a new service!’’ we explain in depth what the Brexit means for our UK Service provision.