Infrastructure
- Hosted on SOC 2 Type II certified infrastructure (Vercel + Neon).
- All data encrypted at rest using AES-256.
- All connections secured with TLS 1.3 — no unencrypted traffic accepted.
- Database connections use connection pooling with SSL enforcement.
- Automated daily backups with geo-redundant storage.
Application Security
- Authentication via NextAuth with bcrypt password hashing (12 rounds).
- CSRF protection on all state-changing operations.
- Rate limiting via Upstash Redis on sensitive endpoints.
- Input validation with Zod schemas on all API boundaries.
- Webhook signature verification (HMAC-SHA256) for all inbound integrations.
- Device authentication using cryptographically random provisioning keys.
Hardware Security
- On-device receipt parsing — raw data never leaves the adapter unnecessarily.
- NFC handover uses unique, time-limited claim tokens.
- Hardware devices authenticate with per-device API keys.
- Firmware updates are signed and verified before installation.
Access Control
- Principle of least privilege for all internal systems.
- Multi-factor authentication required for infrastructure access.
- Audit logging on all administrative actions.
- Regular access reviews and credential rotation.
Monitoring & Response
- Real-time error monitoring via Sentry.
- Automated alerting on anomalous traffic patterns.
- Documented incident response plan with defined roles.
- 72-hour breach notification commitment.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly to security@receiptiles.com. We ask that you:
- Do not publicly disclose the vulnerability before we have addressed it.
- Provide sufficient detail for us to reproduce the issue.
- Allow reasonable time for us to remediate (typically 90 days).
We do not pursue legal action against good-faith security researchers.