Payment Security Statement | 3DMoose

Payment Security Overview
Enstitü OÜ (doing business as “3DMoose”) (the “Company”), a global provider of digital products, software, and services, is committed to protecting the confidentiality, integrity, and availability of all payment data processed through its Site. In order to uphold the highest standards of security and regulatory compliance, the Company has implemented a comprehensive payment security framework that aligns with applicable international, regional, and local laws, regulations, and industry standards, including but not limited to the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR) for the European Economic Area, the California Consumer Privacy Act (CCPA), the UK Data Protection Act 2018, the Singapore Personal Data Protection Act (PDPA), and any other pertinent data protection and privacy legislation in jurisdictions where the Company operates or where its customers reside. The Company’s payment security measures apply to all cardholder data, personal data, transaction records, and any related information processed, stored, or transmitted in connection with the purchase of goods and services.

Payment Processing and Encryption
All payment transactions on the Company’s Site are routed through Stripe, Inc., a leading global payment processor, or such other industry-leading payment service providers (“PSPs”) as may be designated by the Company from time to time. At no point does the Company directly store raw payment card details, PINs, or sensitive authentication data on its own servers. Instead, payment card data is encrypted end-to-end, employing Transport Layer Security (TLS) version 1.2 or higher to protect data in transit and AES-256 encryption to secure any minimal, tokenized data at rest. This dual-layer encryption approach ensures that payment data remains unintelligible to unauthorized parties during transit between the User’s device, the Company’s web servers, and the PSP’s systems, and also while tokenized information is temporarily retained for transaction reconciliation and refund processing.

PCI DSS Compliance and Validation
The Company maintains continued compliance with PCI DSS requirements at the Level 1 merchant standard, the most rigorous level of certification, which mandates annual on-site assessments by a qualified security assessor (QSA) and quarterly network vulnerability scans conducted by an Approved Scanning Vendor (ASV). All systems within the Company’s cardholder data environment (CDE) are subject to strict segmentation controls, multi-factor authentication for administrative access, secure configuration baselines, and continuous monitoring for unauthorized access or configuration drift. The Company publishes a recent Attestation of Compliance (AOC) upon request by corporate or enterprise customers, partners, or regulatory authorities.

Strong Customer Authentication (SCA) and PSD2
For transactions originating in the European Economic Area, the Company leverages Strong Customer Authentication (SCA) in accordance with the Revised Payment Services Directive (PSD2). SCA requires two or more independent authentication factors drawn from the categories of knowledge (e.g., password or PIN), possession (e.g., mobile device or secure token), and inherence (e.g., biometric data such as fingerprint or facial recognition). The Company’s PSP integrations support 3-D Secure 2.0 (3DS2) for robust, friction-minimized authentication flows and fallbacks, ensuring compliance with SCA exemptions where permissible under PSD2.

Data Minimization and Tokenization
In accordance with the principle of data minimization, the Company only collects and processes the minimum necessary payment information required to complete a transaction, perform reconciliation, or comply with legal obligations. Raw card details are immediately exchanged for a unique, non-reversible token by the PSP, which the Company may use for subsequent authorized transactions such as refunds, partial captures, or recurring billing under subscription agreements. These tokens, which bear no resemblance to actual card data, are encrypted and stored in restricted vault environments governed by the PSP to mitigate the risk of data breaches.

Global Data Protection and Privacy
The Company’s payment security processes are integrated with its broader data protection and privacy framework. Personal data associated with payment transactions—such as name, billing address, email address, and transaction history—is processed in accordance with the GDPR for EEA residents, the UK GDPR post-Brexit, the CCPA for California residents, and analogous laws in other jurisdictions. Users are informed of the Company’s data processing activities through a transparent Privacy Policy that details the legal basis for processing, data retention periods, and the exercise of data subject rights including access, rectification, erasure, and objection. Cross-border transfers of payment-related personal data are conducted under appropriate safeguards, such as Standard Contractual Clauses (SCCs) or adequacy decisions recognized by the European Commission.

Monitoring, Logging, and Incident Response
The Company employs a Security Information and Event Management (SIEM) solution that aggregates and correlates logs from web servers, application servers, firewalls, intrusion detection/prevention systems (IDS/IPS), and endpoint security agents. All payment-related events—including authorization attempts, declines, chargebacks, and refund transactions—are logged with immutable timestamps and unique request identifiers. The Company’s Incident Response Plan (IRP) is aligned with the ISO/IEC 27035 standard and outlines procedures for triage, containment, eradication, recovery, and post-incident analysis. In the event of a confirmed data breach impacting payment data, the Company will notify affected individuals, the relevant data protection authority, and any other required regulators within applicable statutory timeframes (e.g., within 72 hours under GDPR).

Vendor Management and Third-Party Assurance
The Company conducts due diligence before engaging any third-party vendor that may process or store payment data. Such due diligence includes review of the vendor’s SSAE 18 / SOC 2 Type II reports, their PCI DSS AOC (where applicable), security policies, and data protection certifications. Vendors are contractually bound by Data Processing Agreements (DPAs) that impose strict confidentiality, data handling, and breach notification obligations. The Company also conducts periodic third-party risk assessments and on-site audits, where warranted, to ensure ongoing compliance with the Company’s security requirements.

Training and Awareness
The Company requires all employees, contractors, and temporary staff who have access to payment processing systems or sensitive data to undergo mandatory security awareness training at least annually. Training modules cover topics such as phishing prevention, secure coding practices, incident reporting, and data privacy obligations. The Company also maintains a formal Acceptable Use Policy (AUP) and a Code of Conduct that govern employee behavior with respect to information security and data protection.

Continuous Improvement and Assurance
Recognizing that security threats evolve rapidly, the Company commits to continuous improvement of its payment security posture. This includes regular internal audits, vulnerability assessments, penetration testing by accredited third-party firms, and participation in bug bounty programs. The Company tracks key performance indicators (KPIs) related to payment fraud rates, declined authorization ratios, and incident resolution times, and presents aggregated results to its Board of Directors and Audit Committee on a quarterly basis.

Legal and Regulatory Compliance
The Company’s payment security measures are designed to comply with all applicable legal and regulatory requirements, including but not limited to the USA Patriot Act, Bank Secrecy Act (BSA), Anti-Money Laundering (AML) Regulations, Combating the Financing of Terrorism (CFT) statutes, and any local currency control or sanctions laws enforced by competent authorities worldwide. The Company maintains policies and procedures for Know Your Customer (KYC) verification and ongoing screening against sanctions lists maintained by the Office of Foreign Assets Control (OFAC), the United Nations Security Council, and regional bodies.

Governing Law and Dispute Resolution
These Payment Security provisions shall be governed by and construed in accordance with the laws of the Republic of Estonia, without regard to its conflict of law principles. Any dispute arising out of or relating to payment security shall be resolved exclusively by the competent courts of Tallinn, Estonia, unless mandatory local consumer protection or financial services laws require alternative dispute resolution procedures.

Contact and Reporting
For inquiries regarding payment security, to report suspected vulnerabilities, or to obtain the Company’s latest security certifications and audit reports, please contact:
Enstitü OÜ (d/b/a 3DMoose)
Tartu maantee 67/1-13B, 10115 Tallinn, Estonia
Phone: +372 609 4167
Registration Code: 14850305
VAT Number: EE102444771
Email: support@3dmoose.com