Security at Reapdat
We take the security of your data seriously. This page outlines the technical measures, compliance standards, and practices we use to protect your information.
Security Features
Encryption at Rest
All sensitive data is encrypted before storage. CRM credentials and OAuth tokens use Fernet AES-128 symmetric encryption. Database fields containing PII are protected with AES-256.
JWT Authentication
Sessions use HS256-signed JSON Web Tokens with 4-hour expiry. Tokens are delivered via HttpOnly, Secure, SameSite=Lax cookies to prevent XSS and CSRF attacks.
SSRF Protection
All outbound requests are validated against a strict allowlist. Private IP ranges, localhost, and non-HTTP(S) schemes are blocked to prevent server-side request forgery.
Rate Limiting
Multi-layer rate limiting at nginx (100/50/30 req/s by endpoint type), application middleware (1,000 req/min per IP), and login-specific limits (5 attempts per 15 minutes per email+IP).
Audit Logging
Every security-relevant action is logged to an immutable audit trail: logins, API key creation, data exports, configuration changes, and admin actions. Logs are retained for 24 months.
Input Validation
All user input is validated and sanitized at the API boundary. File uploads are verified by magic bytes (not just extension). SVG files are sanitized to remove embedded scripts.
Compliance
SOC 2 Ready
Our infrastructure and processes are designed to meet SOC 2 Type II requirements for security, availability, and confidentiality.
GDPR Compliant
Full GDPR compliance with data subject rights, data portability, right to erasure, and Data Processing Agreements available on request.
VAPT Audited
Regular Vulnerability Assessment and Penetration Testing. Our most recent audit resolved 23 findings across all severity levels.
Authentication Details
Infrastructure Security
Our production environment runs on isolated Docker containers with strict resource limits. The database (PostgreSQL 16 with pgvector) is not exposed to the public internet and accepts connections only from the application container.
- HTTPS everywhere with TLS 1.3. HTTP Strict Transport Security (HSTS) headers on all responses.
- Content Security Policy (CSP) headers restrict script sources and prevent inline script injection.
- Redis is configured with maxmemory policies, authentication, and network binding to prevent unauthorized access.
- Automated health monitoring runs every 2 minutes. Nightly test suites validate all API endpoints.
- Database backups run daily at 3 AM. Backup retention policy ensures recovery from data loss scenarios.
- API documentation endpoints are disabled in production to reduce the attack surface.
Responsible Disclosure
We welcome security researchers who help us keep Reapdat safe. If you discover a security vulnerability, please report it responsibly:
- Email your findings to security@reapdat.com with a detailed description and steps to reproduce.
- Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days).
- Do not access, modify, or delete data belonging to other users during your research.
- We will acknowledge your report within 48 hours and provide regular updates on our progress.
We appreciate the security research community and will credit researchers (with permission) for verified findings.
Questions about our security?
Our team is happy to discuss our security practices in detail.