How we protect your keys and data

Secure
by design.

Recurflux connects to your payment processor to monitor and recover failed charges. That requires your API key. Here is exactly what we do with it, what we can and cannot see, and the controls we have in place.

AES-256-GCM

Encryption at rest

TLS 1.2+

Encryption in transit

Zero plaintext

No employee key access

Annual pentest

Third-party tested

No Recurflux employee can read your API key.

Your API key is encrypted immediately on receipt using AES-256-GCM. The encryption key is stored in a separate secrets management system — isolated from the application database. The plaintext key is never held in memory longer than the single operation that requires it, and is never written to any log, error report, or monitoring tool.

What this means in practice

Even if a Recurflux engineer wanted to read your key, the system prevents it. The ciphertext in the database is useless without the encryption key, which is stored in a separate system with access logging and rotation controls.

AES-256-GCM encryption at rest

Authenticated encryption — the same standard used by banks and cloud providers. Tampering with ciphertext is detectable.

Separate secrets management

Encryption keys are stored in a dedicated secrets system, isolated from the application database. A database breach does not expose keys.

Never logged in plaintext

Keys are scrubbed from application logs, error reports, and third-party monitoring at every stage of the request lifecycle.

Purged on disconnect

When you disconnect a processor, the encrypted key is deleted immediately. Payment history is retained but the credential is gone.

All data encrypted in transit.

Every connection between your browser, our servers, and your payment processor is encrypted with TLS 1.2 or higher. HTTP is not accepted — all requests are redirected to HTTPS. Webhook endpoints enforce the same standard.

TLS 1.2+ enforced

Older TLS versions and plain HTTP are rejected. All browser, API, and webhook traffic is encrypted end-to-end.

Webhook signature verification

Every inbound webhook from Stripe, Paddle, Razorpay, and Cashfree is verified against its processor-issued signature before any data is processed.

Read-only by default. Retry-only when needed.

Recurflux uses the minimum access required for each processor. No processor integration gives us the ability to move money, create new charges, or access payout settings.

Stripe — restricted key

  • Read subscription and payment history
  • Retry a failed charge on an existing subscription
  • Monitor card expiry dates (in-memory, not stored)
  • Register and manage webhook endpoints
  • Create new charges or subscriptions
  • Transfer or move funds
  • Access payout settings or bank account details
  • Issue refunds
  • Modify Stripe account or billing settings

Paddle · Razorpay · Cashfree — webhook + retry API

  • Receive payment failure and success events via webhooks
  • Trigger retries through the processor's own retry API
  • Read subscription status and failure codes
  • Initiate new charges or subscriptions
  • Access payout or settlement details
  • Read customer card numbers or bank details
  • Modify subscription pricing or terms

No card numbers. No CVVs. No bank details.

Raw card numbers and CVVs never leave your processor's servers — we never see them. Recurflux reads card expiry dates via the API solely to detect upcoming failures before they happen, using them in-memory for that check only.

What Recurflux stores

  • Customer email address
  • Payment amount and currency
  • Failure codes and decline reasons
  • Subscription status and retry schedule
  • Dunning email engagement (opens, clicks)

What Recurflux never stores

  • Card numbers or CVVs
  • Bank account or routing numbers
  • Full card details beyond expiry
  • Customer passwords or authentication data
  • Raw processor API responses (PII scrubbed)

Hosted on certified cloud infrastructure.

Recurflux runs on ISO 27001 certified cloud infrastructure. Data at rest is encrypted. Automated backups run daily with point-in-time recovery. Access to production systems is restricted, logged, and reviewed.

ISO 27001 certified infrastructure

Hosted on cloud providers holding ISO 27001 and SOC 2 Type II certifications at the infrastructure layer.

Encryption at rest

Database volumes, backups, and object storage are encrypted at rest using platform-level encryption in addition to application-level key encryption.

Automated backups

Daily automated backups with point-in-time recovery. Backup integrity is tested regularly. Retention period: 30 days.

Production access controls

Access to production systems is role-gated, requires multi-factor authentication, and is fully logged. Access is reviewed and revoked promptly when no longer required.

Tested by third parties. Reported responsibly.

Recurflux undergoes annual penetration testing conducted by an independent third-party security firm. Findings are remediated before the next test cycle. We also maintain a responsible disclosure policy — if you find something, we want to know.

Annual penetration testing

Independent third-party security firm conducts annual penetration tests covering application, API, and infrastructure layers. Findings are tracked and remediated.

Responsible disclosure

Security researchers who find and report vulnerabilities responsibly are acknowledged. We commit to a 72-hour acknowledgement and 90-day remediation window for valid findings.

Dependency scanning

Dependencies are scanned automatically on every deploy. Known CVEs trigger immediate review and patch cycles.

Security incident response

A documented incident response plan covers detection, containment, notification, and post-incident review. GDPR breach notification within 72 hours where required.

Report a security issue

Email [email protected] with details. Please do not publicly disclose findings until we have had the opportunity to investigate and remediate.

GDPR, DPA, and SOC 2 ready.

Recurflux operates as a data processor under GDPR. A Data Processing Agreement is required before any processor connect — it is presented explicitly at the moment of connection and not buried in terms.

DPA required at connect

You accept the DPA before any data flows. The connect button is gated behind this explicit acceptance — not a buried checkbox.

GDPR Art. 17 deletion

Disconnect at any time. Your data and your subscribers' data are purged within 30 days — or immediately on written request.

72-hour breach notification

If a breach affecting your data occurs, you are notified within 72 hours as required by GDPR Art. 33. We do not wait for full investigation before notifying.

Subprocessors

A limited set of third-party services are used for infrastructure, email delivery, and error monitoring. Full subprocessor list available on request.

Data residency

Customer data is processed and stored within the EU and US. Data does not leave these jurisdictions without appropriate safeguards.

SOC 2 ready

Controls are in place across access management, encryption, incident response, and availability monitoring. Formal Type II certification in progress.

Full details in our Privacy Policy and Data Processing Agreement. For enterprise compliance reviews, custom DPAs, or the full subprocessor list, contact [email protected].

Questions about security or compliance?

We can share full security documentation, a custom DPA, the subprocessor list, or walk through the architecture with your security team.

Contact security team →Connect your processor →