← Back to Home

Security

Last updated: May 23, 2026

Infrastructure

  • Hosted on SOC 2 Type II certified infrastructure (Vercel + Neon).
  • All data encrypted at rest using AES-256.
  • All connections secured with TLS 1.3 — no unencrypted traffic accepted.
  • Database connections use connection pooling with SSL enforcement.
  • Automated daily backups with geo-redundant storage.

Application Security

  • Authentication via NextAuth with bcrypt password hashing (12 rounds).
  • CSRF protection on all state-changing operations.
  • Rate limiting via Upstash Redis on sensitive endpoints.
  • Input validation with Zod schemas on all API boundaries.
  • Webhook signature verification (HMAC-SHA256) for all inbound integrations.
  • Device authentication using cryptographically random provisioning keys.

Hardware Security

  • On-device receipt parsing — raw data never leaves the adapter unnecessarily.
  • NFC handover uses unique, time-limited claim tokens.
  • Hardware devices authenticate with per-device API keys.
  • Firmware updates are signed and verified before installation.

Access Control

  • Principle of least privilege for all internal systems.
  • Multi-factor authentication required for infrastructure access.
  • Audit logging on all administrative actions.
  • Regular access reviews and credential rotation.

Monitoring & Response

  • Real-time error monitoring via Sentry.
  • Automated alerting on anomalous traffic patterns.
  • Documented incident response plan with defined roles.
  • 72-hour breach notification commitment.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@receiptiles.com. We ask that you:

  • Do not publicly disclose the vulnerability before we have addressed it.
  • Provide sufficient detail for us to reproduce the issue.
  • Allow reasonable time for us to remediate (typically 90 days).

We do not pursue legal action against good-faith security researchers.

Security — KreditWiz · KreditWiz