Recerc

Security at Recerc

How Recerc protects customer data using modern, enterprise-grade security best practices

At Recerc, security is a foundational principle of the platform. We design and operate Recerc to meet the expectations of companies running critical B2B commercial processes, where data protection, access control, and operational reliability are non-negotiable.

This page describes our current security posture, controls, and practices, as well as how we continuously improve and prepare for future compliance requirements.

Security Principles

Our security approach is guided by the following principles:

  • Least privilege by default — every action requires explicit authorization
  • Strict workspace isolation — customer data is never shared across tenants
  • Defense in depth — multiple layers of protection across application, data, and infrastructure
  • Auditability — all sensitive actions are logged and traceable
  • Security by design — controls are embedded into the core architecture

Data Protection & Storage

Encrypted Data at Rest

All customer data is stored in a managed database with:

  • Encryption at rest
  • Secure key management handled by the infrastructure providers
  • Continuous infrastructure-level security updates

Workspace-Level Isolation

  • All data is scoped to a workspace
  • Queries are enforced through workspace-aware access rules
  • There is no architectural path for cross-workspace data access

Authentication & Access Control

Strong Authentication

  • Authentication is handled using email-based one-time access codes
  • Ensures verified ownership of email accounts
  • Eliminates password reuse and credential leakage risks

Role-Based Access Control (RBAC)

  • All endpoints enforce explicit roles and permissions
  • Authorization is evaluated on every request
  • Privileged actions require elevated roles

Secure Internal Procedures

  • All application procedures run through a shared private middleware
  • Authentication and authorization checks are mandatory
  • There are no unauthenticated or implicit access paths

Application & API Security

  • No direct database access from the client
  • All access is mediated through secure server-side procedures
  • Authorization is enforced consistently at the API layer
  • Input validation and controlled execution paths are applied across the system

There is no supported mechanism to bypass access controls or retrieve private data outside authorized scopes.

File & Document Security

  • All files are stored in private object storage
  • Files are never publicly accessible
  • Access is granted using time-limited, signed URLs
  • URLs automatically expire and cannot be reused

Infrastructure & Providers

Recerc is built on modern, widely adopted cloud infrastructure:

  • Vercel — application hosting and execution
  • PlanetScale — managed database infrastructure
  • Cloudflare R2 — secure object storage
  • Stripe — payment processing
  • PostHog — product analytics and event tracking

These platforms are trusted by leading technology companies, including OpenAI, Stripe, Slack, Notion, Intercom, and others, and provide built-in protections such as infrastructure hardening, encryption, availability, and network-level security.

Auditing, Logging & Observability

Security-relevant events are monitored and logged across the stack:

  • Application-level logs and alerts via Vercel Observability
  • Database activity and operational signals from PlanetScale
  • User interaction and behavioral events via PostHog

Logs support:

  • Incident detection
  • Auditability
  • Internal investigations
  • Workspace-level traceability

Only authorized workspace members can access their own audit data.

Incident Response

Recerc maintains an internal incident response process designed for fast detection and resolution.

  • Alerts from application, database, and analytics systems are continuously monitored
  • Incidents are triaged based on severity and scope
  • Actions are logged and reviewed
  • Customers are notified when required and appropriate

Incident response procedures are tested and iterated as the platform evolves.

Backups & Disaster Recovery

  • PlanetScale provides built-in database backups
  • Infrastructure is defined using infrastructure-as-code principles
  • Restoration workflows are designed to minimize recovery time

This allows Recerc to recover quickly from infrastructure or data-related incidents while maintaining data integrity.

Environment Separation

  • Production and non-production environments are logically separated
  • Production data is not used in development environments
  • Access to production systems is restricted and logged

Internal Access Controls

Recerc employees do not have default access to customer workspaces or data.

Internal access is:

  • Only granted if explicitly enabled by the customer in workspace settings
  • Limited to specific conditions (e.g. customer support or incident resolution)
  • Time-bound and purpose-specific
  • Fully logged and auditable

All internal access follows a defined protocol and is governed by strict internal policies and NDAs.

Secure Development Practices

  • All code is tracked in version control
  • Changes follow review and deployment controls
  • Dependencies are actively maintained and kept up to date
  • Security-sensitive logic is centralized to reduce risk and inconsistency

Payments & Financial Data

  • All payment processing is handled by Stripe
  • Recerc does not store raw credit card information
  • Payment data is managed entirely within Stripe’s secure environment

Compliance & SOC 2 Readiness

Recerc is not currently SOC 2 certified.

However:

  • Our architecture and controls align with many SOC 2 Trust Service Criteria
  • Logging, access controls, change management, and incident response are designed with auditability in mind
  • We maintain documentation and practices that support SOC 2 readiness

We plan to pursue formal security certifications as customer and regulatory requirements evolve.

Responsible Disclosure

If you believe you have identified a security issue, please report it responsibly:

security@recerc.com

All reports are reviewed and investigated promptly.

Continuous Improvement

Security is an ongoing process. We continuously:

  • Review access patterns
  • Improve authorization boundaries
  • Monitor infrastructure and dependencies
  • Evolve controls as Recerc scales

Security FAQ

Where is our data stored?

Customer data is stored in managed cloud infrastructure using encrypted databases and private object storage.

Is our data isolated from other customers?

Yes. All data is strictly scoped to a workspace and isolated at the application and database levels.

Do Recerc employees have access to our data?

No by default. Internal access is only possible if explicitly enabled by the customer, for limited purposes, and is fully logged.

How is authentication handled?

Authentication uses email-based one-time access codes to ensure verified access without passwords.

Are actions audited?

Yes. Security-relevant actions are logged and auditable at the workspace level.

Is Recerc SOC 2 certified?

Not yet. We follow SOC 2-aligned best practices and plan to pursue formal certification as requirements evolve.

How are files protected?

All files are private and accessed using time-limited, signed URLs.

How does Recerc handle payments?

Payments are processed securely via Stripe. Recerc does not store card details.

If you have additional security or compliance requirements, our team is happy to discuss them.

Getting Started

Learn how to set up and start using Recerc

Webhooks

Send events into Recerc using workspace + webhook handles

On this page

Security PrinciplesData Protection & StorageEncrypted Data at RestWorkspace-Level IsolationAuthentication & Access ControlStrong AuthenticationRole-Based Access Control (RBAC)Secure Internal ProceduresApplication & API SecurityFile & Document SecurityInfrastructure & ProvidersAuditing, Logging & ObservabilityIncident ResponseBackups & Disaster RecoveryEnvironment SeparationInternal Access ControlsSecure Development PracticesPayments & Financial DataCompliance & SOC 2 ReadinessResponsible DisclosureContinuous ImprovementSecurity FAQWhere is our data stored?Is our data isolated from other customers?Do Recerc employees have access to our data?How is authentication handled?Are actions audited?Is Recerc SOC 2 certified?How are files protected?How does Recerc handle payments?