Security

1. Our Commitment

At Rekindo, security is fundamental to how we build and operate our platform. We understand that you trust us with your business data and your customers' information. This page outlines the measures we take to protect that trust.

2. Data Location & Sovereignty

Your data is stored and managed within the European Union:

Infrastructure hosted in Germany (EU)
Full GDPR compliance
Data subject to EU privacy laws and regulations

3. Encryption

We use industry-standard encryption to protect your data:

In transit: All connections are encrypted using TLS 1.2 or higher. We enforce HTTPS for all traffic.
API keys: We use secure hashing algorithms. We never store plaintext API keys.

4. Infrastructure Security

Our infrastructure is designed with security in mind:

Network isolation: Services run in isolated private networks with strict firewall rules.
Access control: Administrative access requires VPN authentication and is limited to authorized personnel.
Container isolation: Applications run in isolated containers.
Regular updates: We keep our systems updated with security patches.

5. Application Security

We follow security best practices in our application development:

Content Security Policy: CSP headers help protect against cross-site scripting (XSS) attacks.
CSRF protection: All forms are protected against cross-site request forgery.
Input validation: All user input is validated and sanitized.
Rate limiting: Sensitive endpoints like uploads are rate-limited to prevent abuse.
Bot protection: Privacy-friendly proof-of-work challenges protect forms without tracking users.
Secure cookies: Session cookies are HttpOnly and use strict SameSite policies to prevent theft.
Content moderation: Uploaded images are automatically scanned for inappropriate content.
Security scanning: Automated security scanning in our deployment pipeline.

6. Authentication

We provide secure authentication options:

Passwordless login: Secure email-based login codes (no passwords to steal).
Google OAuth: Sign in with your Google account for added security.
Login protection: Login codes expire quickly and attempts are limited to prevent brute force.
Session management: Automatic session expiration and secure cookie handling.

7. Monitoring & Incident Response

We continuously monitor our systems:

24/7 monitoring: Automated monitoring of system health.
Alerting: Real-time alerts for anomalies and system issues.
Logging: Comprehensive logging for incident investigation.
Uptime monitoring: External monitoring of service availability.

8. Business Continuity

We ensure your data is protected against loss:

Automated backups: Regular automated database backups stored in a separate location.
Multiple workers: Application workloads run across multiple servers.

9. Secrets Management

We handle sensitive credentials securely:

API keys and credentials are stored in a dedicated secrets manager.
Secrets are never stored in code or configuration files.
Access to secrets is strictly controlled.

10. Secure Development

Security is integrated into our development process:

GitOps: All infrastructure changes are version-controlled and auditable.
Dependency updates: Third-party libraries are kept up to date.
Staged deployments: Changes are tested in acceptance environments before production.

11. Your Responsibilities

Security is a shared responsibility. We recommend:

Keep your email account secure, as login codes are sent there.
Don't share your login codes with others.
Log out when using shared devices.
Report any suspicious activity to us immediately.

12. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

Email us at security@rekindo.com
Provide sufficient detail to reproduce the issue.
Give us reasonable time to address the issue before public disclosure.

We appreciate responsible disclosure and will acknowledge your contribution.

13. Questions

If you have questions about our security practices, please contact us at security@rekindo.com.