· Security

Your financial data, protected at every layer

Rappel handles sensitive business financial data, and we treat that responsibility as the foundation of the product — not an afterthought. Here is exactly what we do to protect it.

Rust

Memory-safe Rust backend

Our entire backend is written in Rust — a memory-safe language that eliminates whole classes of vulnerabilities common in other stacks: buffer overflows, use-after-free, and data races.

GDPR

Data residency you control

Data is stored in the EU/US by default — file storage on Cloudflare R2 (EU/US) and analytics on PostHog's EU cloud — and enterprise customers can choose their database region (US, UK, EU, AU, IN, and more). Cross-region transfers are always encrypted in transit. Your data is never sold or shared with third parties.

AES-256

Credential encryption

Third-party integration credentials — API keys, OAuth tokens, access tokens — are encrypted at rest using AES-256 before they ever touch the database. Never stored or logged in plaintext.

TLS 1.2/1.3

Encryption in transit

Every connection — browser to app, app to API, API to database and cache — uses TLS 1.2/1.3. HTTPS everywhere, with HTTP traffic redirected.

Edge

Hardened edge

The website and app are served from Vercel's global edge network with DDoS mitigation and CDN caching. Cloudflare Turnstile protects all public forms and rate limiting guards every endpoint.

24/7

Monitoring & observability

Errors are tracked in Sentry, uptime is independently monitored with a public status page, and structured logging gives us full observability into the platform.

In detail

Our security practices

Infrastructure security

Website and app hosted on Vercel — global edge network, CDN, and DDoS mitigation by default; Cloudflare provides DNS and bot protection.
Backend API server and background workers run in Rust, hosted on Fly.io or Railway (EU region; the provider in use may vary over time).
Database: PostgreSQL via Supabase/Neon, EU/US by default (enterprise customers can choose a region: US, UK, EU, AU, IN, and more), access-controlled and network-restricted.
File storage: Cloudflare R2, EU/US. Cache and streams: Upstash Redis, encrypted in transit.
No database or cache is exposed directly to the public internet.

Data encryption

At rest: integration credentials (OAuth tokens, API keys) are encrypted with AES-256 before storage.
Business data (orders, transactions, journals) lives in access-controlled PostgreSQL protected by infrastructure-level security.
In transit: TLS 1.2/1.3 on every connection — external and service-to-service.

Access control & authentication

API authentication uses encrypted tokens; sessions are validated on every request.
Cloudflare Turnstile bot protection on all public forms.
Rate limiting on all endpoints to block brute-force and abuse.
The Rust backend eliminates memory-corruption vulnerability classes by construction.

Third-party integration security

Integrations — Shopify (incl. Shopify POS), Amazon, Walmart, WooCommerce, BigCommerce, Square, Squarespace, Stripe (incl. Stripe Connect and Terminal/POS), PayPal, Klarna, Adyen, Afterpay/Clearpay, QuickBooks Online, Xero, Zoho Books, Sage, Meta Ads, Google Ads, and TikTok Ads — connect only after your explicit authorization.
OAuth tokens and API keys are AES-256 encrypted immediately on receipt and never written to logs.
We request the minimum scopes each platform allows for the sync work you configure.
Disconnecting an integration revokes our access and deletes the stored credentials.

Operator access to data

Rappel is run by a single operator; no broad employee access exists.
Production access is limited to operating, supporting, and maintaining the service — never for any other purpose.
Customer business data is accessed for support only when needed to resolve your issue.
Your data is never sold, rented, or shared with third parties beyond the sub-processors that run the service.

Monitoring & incident response

Error monitoring via Sentry with alerting on anomalies.
Independent uptime monitoring and a public status page.
Structured logging and observability across the API and workers.
Documented incident response: contain, assess impact, remediate, notify.

Incident response

72-hour breach notification

In line with GDPR requirements, if we confirm a data breach affecting your personal data, we will notify affected users within 72 hours of becoming aware of it — with what happened, what data was involved, and what we are doing about it. Where required, we also notify the relevant supervisory authorities, including the Data Protection Board of India under the DPDP Act 2023.

Key facts

Backend languageRust (memory-safe)
Data residencyEU/US
Credential encryptionAES-256 at rest
Encryption in transitTLS 1.2/1.3
Bot protectionCloudflare Turnstile
Error monitoringSentry
Breach notificationWithin 72 hours
Last updatedJune 12, 2026

A note on third-party platforms

We secure everything on our side — but the security of the third-party platforms you connect (your store, payment processor, or accounting software) is managed by those providers under their own security programs. We are not responsible for incidents originating on platforms outside our control. We recommend enabling two-factor authentication on every connected platform.

Responsible disclosure

Found a vulnerability? Please report it to us privately before disclosing it publicly, with enough detail to reproduce the issue. We will acknowledge your report within 48 hours, keep you informed as we fix it, and aim to remediate critical issues within 7 days. We will never take legal action against good-faith security research.

security@rappelhq.com →

Security questions & DPA requests

Questions about our security practices, or need a signed Data Processing Agreement for your compliance requirements? Get in touch — we respond within 2 business days.

privacy@rappelhq.com →