Compliance · PCI Readiness

PCI Readiness & Payment Data Handling

Aurex is built so that cardholder data never enters our application, servers, or logs. This page documents the payment, hosting, storage, and access-control posture used across the site so partners and bulk buyers can fast-pass procurement and information-security reviews.

Last updated · 2026-05-02

PCI scope

Aurex never touches raw card numbers. There is no PAN, no CVV, and no track data anywhere in our application code, database, or logs.
The card rail (NMI Collect.js iframe, when activated) tokenizes cards directly between the customer's browser and NMI's PCI-DSS Level 1 environment. Tokenization is server-to-server; only the resulting opaque vault token is stored against the order.
The crypto rail (BTCPay) settles on-chain. No card data is collected at any step — the customer pays a wallet address and the chain confirms.
Zelle, ACH, and wire are bank-rail payments handled directly between the customer's bank and Aurex's bank. There is no card surface in this flow.

Hosting and transport

The application runs on Next.js, deployed on Vercel's edge network.
TLS 1.2 or higher is enforced on every connection. Older protocol versions are rejected at the edge.
HSTS is configured via Next.js response headers so browsers refuse plaintext connections after first visit.
Static assets and dynamic API responses are served through Vercel's CDN with cache rules scoped to non-sensitive content.

Storage

Order records are persisted to Upstash Redis (US region).
Gift-card balances are stored in the same Redis instance, keyed by gift-card identifier.
Cart contents live in the customer's localStorage. Visitors who have not provided an email do not have a server-side cart at all.
We never store card numbers, CVV values, PANs, magnetic-stripe data, or any cardholder data. Period.

Access control

Every /admin/* route is gated by an HMAC-signed cookie tied to the server-side ADMIN_TOKEN secret. Requests without a valid signature are rejected before any handler runs.
Public read APIs are intentionally CORS-open. They expose only catalog, batch, and content data — no PII, no order data, no payment data.

Audit trail

Every order is appended to the Redis orders:index set at write time, producing an immutable, time-ordered log of order activity.
A CSV export of the order log is available to authenticated administrators at /api/admin/orders/export for finance reconciliation and audit response.
Cart-recovery URLs are HMAC-signed using a 24-byte token derived from the customer email and ADMIN_TOKEN, so links cannot be forged or guessed.

Customer obligations

All purchases remain bound by Aurex's research-use-only policy. Buyers must be at least 21 years of age and acquiring compounds strictly for in-vitro laboratory research. See /compliance/research-use-only for the full attestation.

PCI scope

Aurex never touches raw card numbers. There is no PAN, no CVV, and no track data anywhere in our application code, database, or logs.

The card rail (NMI Collect.js iframe, when activated) tokenizes cards directly between the customer's browser and NMI's PCI-DSS Level 1 environment. Tokenization is server-to-server; only the resulting opaque vault token is stored against the order.

The crypto rail (BTCPay) settles on-chain. No card data is collected at any step — the customer pays a wallet address and the chain confirms.

Zelle, ACH, and wire are bank-rail payments handled directly between the customer's bank and Aurex's bank. There is no card surface in this flow.

Hosting and transport

The application runs on Next.js, deployed on Vercel's edge network.

TLS 1.2 or higher is enforced on every connection. Older protocol versions are rejected at the edge.

HSTS is configured via Next.js response headers so browsers refuse plaintext connections after first visit.

Static assets and dynamic API responses are served through Vercel's CDN with cache rules scoped to non-sensitive content.

Storage

Order records are persisted to Upstash Redis (US region).

Gift-card balances are stored in the same Redis instance, keyed by gift-card identifier.

Cart contents live in the customer's localStorage. Visitors who have not provided an email do not have a server-side cart at all.

We never store card numbers, CVV values, PANs, magnetic-stripe data, or any cardholder data. Period.

Access control

Every /admin/* route is gated by an HMAC-signed cookie tied to the server-side ADMIN_TOKEN secret. Requests without a valid signature are rejected before any handler runs.

Public read APIs are intentionally CORS-open. They expose only catalog, batch, and content data — no PII, no order data, no payment data.

Audit trail

Every order is appended to the Redis orders:index set at write time, producing an immutable, time-ordered log of order activity.

A CSV export of the order log is available to authenticated administrators at /api/admin/orders/export for finance reconciliation and audit response.

Cart-recovery URLs are HMAC-signed using a 24-byte token derived from the customer email and ADMIN_TOKEN, so links cannot be forged or guessed.