Trust & Safety

Security

Last updated: May 3, 2026

Encrypted at Rest

AES-256 encryption for all stored data

TLS in Transit

All connections secured with TLS 1.2+

Never Sold

Your data is never sold to third parties

At ReceiptPanda, security is not an afterthought — it's built into every layer of our product. This page describes the technical and organizational measures we take to protect your data.

Data Encryption

In Transit

All data transmitted between your browser or app and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and use HSTS (HTTP Strict Transport Security) headers to prevent downgrade attacks.

At Rest

All data stored in our databases and file storage is encrypted using AES-256. Encryption keys are managed using a dedicated key management service and are rotated regularly.

Receipts and Attachments

Receipt images and file attachments are stored in encrypted cloud storage. Access is controlled via pre-signed, time-limited URLs — no file is publicly accessible without authentication.

Access Controls

  • Role-based permissions: within your organization, you control who can view, submit, approve, or manage expenses
  • Principle of least privilege: our internal staff have access only to what they need to perform their role
  • Multi-factor authentication (MFA): available for all user accounts; enforced for internal administrative access
  • Session management: sessions are time-limited and invalidated on password change or logout
  • Audit logs: all significant account and data actions are logged with timestamps (available on Business plan)

Infrastructure Security

  • Hosted on reputable cloud infrastructure with physical security, redundancy, and isolation between customer environments
  • Firewalls and network-level access controls restrict access to internal services
  • Regular automated vulnerability scans of our infrastructure
  • Dependencies and packages are monitored for known vulnerabilities and updated promptly
  • Production environments are isolated from development and staging environments

Application Security

  • Protection against OWASP Top 10 vulnerabilities including SQL injection, XSS, CSRF, and insecure direct object references
  • Input validation and parameterized queries throughout the application
  • Content Security Policy (CSP) headers to prevent cross-site scripting
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Passwords are hashed using bcrypt with a high work factor — we never store plaintext passwords
  • API keys and secrets are stored in environment-level secret management, never in code

Third-Party Integrations

When you connect ReceiptPanda to QuickBooks, Xero, or Zoho, we use OAuth 2.0 for authorization. We never store your third-party platform passwords. Integration tokens are encrypted at rest and can be revoked from your account settings at any time.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. ReceiptPanda does not store credit card numbers or sensitive payment data. Stripe handles tokenization and secure storage of payment methods.

Incident Response

We maintain an incident response plan and are committed to transparency if a security incident affects your data:

  • We will notify affected users within 72 hours of becoming aware of a confirmed breach
  • Notifications will include what data was affected, what we have done, and what you can do
  • We conduct post-incident reviews and implement preventive measures

Employee Security

  • All employees undergo background checks and security awareness training
  • Access to customer data is logged, audited, and restricted to authorized personnel only
  • Employees use company-managed devices with full-disk encryption and remote wipe capability
  • Confidentiality agreements are signed by all staff with access to sensitive systems

Responsible Disclosure

We take security reports seriously. If you discover a potential vulnerability in ReceiptPanda, we ask that you:

  • Report it to us privately at security@receiptpanda.com before disclosing publicly
  • Give us reasonable time to investigate and resolve the issue
  • Avoid accessing, modifying, or deleting data that does not belong to you

We will acknowledge your report within 48 hours and keep you updated on our progress. We are grateful to researchers who help improve our security.

Your Responsibilities

Security is a shared responsibility. To protect your account:

  • Use a strong, unique password for your ReceiptPanda account
  • Enable MFA in your account settings
  • Do not share your credentials with others
  • Review and remove team members who no longer need access
  • Report suspicious activity to support@receiptpanda.com immediately

Contact

For security concerns or to report a vulnerability: