Reconify
security

Security at Reconify

Payment reconciliation data is sensitive. This page describes how Reconify protects data at rest and in transit, controls access, and responds to security incidents. It is not a certification statement.

cloud platform security

Security controls for the Reconify cloud platform

The Reconify cloud platform is built with a defense-in-depth approach: encryption at every layer, strict access controls, workspace isolation, and continuous monitoring. Below are the controls in place for cloud-hosted customers.

Encryption at rest

All customer data stored on the Reconify cloud platform — including reconciliation inputs, outputs, and exception reports — is encrypted at rest using AES-256. Encryption keys are managed by the cloud provider's key management service and rotated on a regular schedule.

Encryption in transit

All data exchanged between your browser, connected data sources, and the Reconify API is encrypted using TLS 1.2 or higher. We enforce HTTPS exclusively and reject unencrypted connections. Certificate validity is continuously monitored.

Access control

Role-based access control (RBAC) governs who can view reconciliation results, manage workspaces, configure data sources, and review exceptions. Growth and Scale plans support team-level permission scopes. Enterprise adds full SSO/SAML integration and fine-grained policy controls.

Authentication

The Reconify cloud platform requires verified email authentication for all accounts. Scale and Enterprise plans support multi-factor authentication (MFA) and SSO via SAML 2.0 or OIDC. We enforce secure session management with idle timeouts and device-level session tracking.

Data isolation

Each Reconify workspace is isolated at the tenant level. Your reconciliation data, exception queues, and audit records are not accessible to other customers. Logical isolation is enforced at the application layer; Enterprise deployments support physical isolation through dedicated VPC or self-hosted environments.

Audit logging

The Reconify platform emits a tamper-evident audit trail for every reconciliation run, data source access event, exception review action, and user permission change. Logs are immutable once written. You control where logs are exported and how long they are retained — 12 months by default, configurable on Enterprise plans.

Vulnerability management

We maintain a dependency update process that includes automated scanning for known CVEs. Security-relevant updates are prioritized and deployed within our normal release cycle. To report a vulnerability, contact security@reconify.com. We commit to acknowledging reports within 2 business days and providing a remediation timeline within 10 business days.

Incident response

Reconify maintains a security incident response process covering detection, containment, eradication, and recovery. In the event of a confirmed breach affecting customer data, we will notify affected customers within 72 hours of becoming aware of the incident, consistent with applicable data breach notification requirements.

infrastructure

Infrastructure and availability

The Reconify cloud platform is hosted on managed cloud infrastructure with the following properties.

Cloud hosting

The Reconify cloud platform runs on AWS and GCP infrastructure in regions with strong compliance posture. We use managed services that include built-in redundancy, automated failover, and regular security patching by the cloud provider.

Backups and recovery

Customer data is backed up daily with point-in-time recovery available for the preceding 7 days. Backups are encrypted using the same AES-256 standard as primary storage and stored in a separate availability zone from the primary data.

Monitoring and uptime

We run continuous uptime monitoring and alerting across all production services. Scheduled maintenance windows are communicated in advance. Non-enterprise plans do not carry a formal SLA; Enterprise plans include uptime commitments defined in the enterprise agreement.

Employee access

Access to production systems is restricted to a small number of authorized engineers. All access is gated behind MFA and privileged access management (PAM). Production access is logged, audited, and reviewed on a regular basis. Reconify employees do not access customer data except when explicitly authorized to diagnose a support issue.

self-hosted and enterprise

Shared responsibility for self-hosted deployments

Enterprise customers who deploy Reconify in their own environment or VPC operate under a shared responsibility model.

In a self-hosted model, Reconify is responsible for the security of the software itself: the application code, the open-source CLI, and the provided container images. We maintain secure defaults, patch known vulnerabilities, and publish security advisories in the GitHub repository.

You are responsible for the security of your deployment environment, which includes:

  • Network access controls and firewall rules governing who can reach the Reconify API and database.
  • Identity and authentication configuration — SSO provider, MFA enforcement, and session policies.
  • Encryption configuration for your storage layer, including key management and rotation.
  • Log retention and SIEM integration for the audit events emitted by Reconify.
  • Patch cadence — applying Reconify software updates to stay current with security releases.
  • Physical and hypervisor-level security for any on-premises infrastructure.

Enterprise agreements include a security review and deployment guidance session to help your team configure the environment correctly from the outset.

To report a security issue or ask about security for an Enterprise deployment, contact us at security@reconify.com.