Security at Receipto

How we protect your data

Last Updated: May 2026

1. Our Security Approach

Receipto is built to handle sensitive financial data — receipts, expense reports, and business transaction records. We take security seriously at every layer of the stack.

This page describes the technical and organizational measures we implement to protect your data.

2. Data Encryption

In Transit

All data transmitted between your device and Receipto is encrypted using TLS 1.3. We enforce HTTPS on all endpoints. HTTP requests are automatically redirected to HTTPS.

At Rest

All data stored in our database (Supabase) is encrypted at rest using AES-256. Receipt images stored in Cloudflare R2 are encrypted at rest using Cloudflare's managed encryption keys.

3. Authentication & Access Control

User Authentication

  • Receipto uses Supabase Auth for user authentication, which supports email/password and magic link (passwordless) login.
  • Passwords are hashed using bcrypt and are never stored in plaintext.
  • Sessions are managed via short-lived JWTs.

Row-Level Security

  • Our database enforces Row-Level Security (RLS) on all tables. Users can only read and write their own data. Team members can only access data within their organization.
  • Even if an API endpoint had a bug, RLS provides a second layer of isolation at the database level.

Production Access

  • Access to production systems is restricted to authorized personnel only.
  • Two-factor authentication (2FA) is required for all production access.
  • No employee has standing access to read customer receipt data. Access is audited.

4. Infrastructure

ComponentProviderNotes
DatabaseSupabase (PostgreSQL)US-West region, encrypted at rest, automated backups
File StorageCloudflare R2Receipt images, encrypted at rest, no public access
Web HostingVercelEdge network, automatic HTTPS, DDoS protection
Mobile AppApple App StoreDistributed via Apple's signed binary infrastructure

5. Third-Party Security

We evaluate the security posture of every third-party service we use. All sub-processors are listed in our DPA.

Key third-party security certifications relevant to Receipto:

  • Supabase: SOC 2 Type II (in progress)
  • Stripe: PCI-DSS Level 1 (web payments)
  • Cloudflare: ISO 27001, SOC 2 Type II
  • Vercel: SOC 2 Type II

AI Processing: Receipt data sent to OpenAI for extraction is processed via the enterprise API. We have explicitly opted out of training data usage. Receipt data is not retained by OpenAI beyond the processing request.

6. Application Security

Input Validation

All user inputs are validated and sanitized server-side. We use parameterized queries throughout — SQL injection is not possible via our API layer.

Session Replay Masking

We use UXCam for session replay to improve the app experience. All text input fields are automatically masked. Financial values on receipts are not captured. See our Privacy Policy for details.

Dependency Management

We regularly update dependencies to address known vulnerabilities. Critical security patches are applied within 24-48 hours of disclosure.

7. Data Isolation (Team Accounts)

For B2B customers using Receipto's team workspace features:

  • Each organization's data is logically isolated at the database level via Row-Level Security.
  • Team members can only see receipts and data within their own organization.
  • Only Owners and Admins can invite members or change roles.
  • Suspended members lose access immediately upon suspension.

8. Breach Response

In the event of a confirmed data breach affecting customer data:

  • We will notify affected customers within 72 hours of becoming aware of the breach.
  • We will provide details on what data was affected, the scope of the breach, and steps we are taking.
  • We will notify relevant data protection authorities where required by law (GDPR Article 33).

For business customers with a signed DPA, breach notification procedures are governed by the DPA terms.

9. Vulnerability Reporting

If you discover a security vulnerability in Receipto, please report it responsibly:

Email: support@receipto.app

Subject line: [Security] Vulnerability Report

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact

We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. We do not have a formal bug bounty program at this time, but we appreciate responsible disclosure.

10. Compliance

FrameworkStatus
GDPR (EU/EEA)Compliant — see Privacy Policy and DPA
CCPA (California)Compliant — we do not sell personal data
Apple App Store GuidelinesCompliant — App Privacy declarations filed
PCI-DSSCompliant via Stripe (web) and Apple (iOS) — we never handle raw card data
COPPACompliant — app not directed to children under 13

Contact

Security questions: support@receipto.app

Data processing: receipto.app/dpa

Privacy policy: receipto.app/privacy

AppWrapp, LLC

651 N Broad St, Suite 201

Middletown, DE 19707

United States