· Security
Your financial data, protected at every layer
Rappel handles sensitive business financial data, and we treat that responsibility as the foundation of the product — not an afterthought. Here is exactly what we do to protect it.
Memory-safe Rust backend
Our entire backend is written in Rust — a memory-safe language that eliminates whole classes of vulnerabilities common in other stacks: buffer overflows, use-after-free, and data races.
Data residency you control
Data is stored in the EU/US by default — file storage on Cloudflare R2 (EU/US) and analytics on PostHog's EU cloud — and enterprise customers can choose their database region (US, UK, EU, AU, IN, and more). Cross-region transfers are always encrypted in transit. Your data is never sold or shared with third parties.
Credential encryption
Third-party integration credentials — API keys, OAuth tokens, access tokens — are encrypted at rest using AES-256 before they ever touch the database. Never stored or logged in plaintext.
Encryption in transit
Every connection — browser to app, app to API, API to database and cache — uses TLS 1.2/1.3. HTTPS everywhere, with HTTP traffic redirected.
Hardened edge
The website and app are served from Vercel's global edge network with DDoS mitigation and CDN caching. Cloudflare Turnstile protects all public forms and rate limiting guards every endpoint.
Monitoring & observability
Errors are tracked in Sentry, uptime is independently monitored with a public status page, and structured logging gives us full observability into the platform.
In detail
Our security practices
Infrastructure security
Data encryption
Access control & authentication
Third-party integration security
Operator access to data
Monitoring & incident response
Incident response
72-hour breach notification
In line with GDPR requirements, if we confirm a data breach affecting your personal data, we will notify affected users within 72 hours of becoming aware of it — with what happened, what data was involved, and what we are doing about it. Where required, we also notify the relevant supervisory authorities, including the Data Protection Board of India under the DPDP Act 2023.
Key facts
A note on third-party platforms
We secure everything on our side — but the security of the third-party platforms you connect (your store, payment processor, or accounting software) is managed by those providers under their own security programs. We are not responsible for incidents originating on platforms outside our control. We recommend enabling two-factor authentication on every connected platform.
Responsible disclosure
Found a vulnerability? Please report it to us privately before disclosing it publicly, with enough detail to reproduce the issue. We will acknowledge your report within 48 hours, keep you informed as we fix it, and aim to remediate critical issues within 7 days. We will never take legal action against good-faith security research.
security@rappelhq.com →Security questions & DPA requests
Questions about our security practices, or need a signed Data Processing Agreement for your compliance requirements? Get in touch — we respond within 2 business days.
privacy@rappelhq.com →