Security & PDPA

Your data is safe with OneMember

Security and privacy are not features — they are the foundation. Built PDPA-compliant from day one.

PDPA Compliance

OneMember is designed to comply with Thailand's Personal Data Protection Act. Consent is captured at member enrolment. Members can request data access or deletion at any time.

Data Encryption

All data is encrypted in transit (TLS 1.2+) and at rest. Passwords are hashed using bcrypt. No plain-text credentials ever stored.

Email Verification

All merchant accounts require verified email addresses before access is granted. This prevents fraudulent account creation.

Multi-Tenant Isolation

Every merchant's data is strictly isolated. No cross-merchant data leakage is architecturally possible. All resource access is authorised at the query level.

Secure Payments

Billing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. OneMember never stores card numbers.

No Developer Tools in Production

Debug tools and developer routes are completely disabled in production. Multiple gates prevent accidental exposure.

PDPA — Thailand Personal Data Protection Act

OneMember is built to comply with the PDPA (พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562). Key protections:

  • Explicit consent is obtained from every member at enrolment
  • Members can access their own data via their QR card portal
  • Merchants can process member data deletion requests from the dashboard
  • Data is processed only for the purpose stated at enrolment (loyalty programme operation)
  • Data is not sold or shared with third parties
  • Breach notification procedures are documented internally

PDPA compliant since launch

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in OneMember, please report it responsibly.

What to report
  • Authentication or authorisation bypasses
  • Cross-tenant data access
  • SQL injection or XSS vulnerabilities
  • Sensitive data exposure
How to report

Email us at security@onemember.co

We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days. We do not currently run a bug bounty programme, but we will publicly credit responsible disclosures if the reporter wishes.

Questions about security or privacy?

Our team is happy to answer security questions or discuss data processing agreements for enterprise customers.