We treat your card data
like the regulated record it is.
Rexa is built by people who've operated finance-data systems before. The controls below aren't aspirational — they're enforced in code, in the database, and in CI. Everything is auditable.
Encryption everywhere
AES-256-GCM envelope encryption for receipt blobs. Production keys are unwrapped from AWS KMS at boot — the master key never sits on disk in plaintext. argon2id for passwords (OWASP-tuned). TLS in transit between every internal service and TLS-required for the database in production.
Tenant isolation in two layers
The API runs as a non-superuser Postgres role. Every company-scoped table has Row-Level Security forced on, gated by current_setting('app.company_id') set per request. App-layer tenant scoping is the second line of defense, not the only one.
Append-only audit log
audit_events grants are INSERT and SELECT only — UPDATE and DELETE are rejected at the SQL layer regardless of code-layer bugs. Every state change (approvals, exports, period closes, role changes, GDPR erasure) writes a row.
Real auth primitives
Passwords are argon2id (19 MiB / time=2 / parallelism=1). TOTP 2FA with QR enrollment. Sessions are revocable via the JWT jti claim. Per-route rate limits on login, register, totp/verify, and password reset.
No PAN, ever
Card data is normalized to last-4 at the adapter boundary — full numbers never enter the system, the database, or the logs. This keeps PCI scope minimal: we are out of scope for SAQ A entirely.
EU data residency
Postgres + S3 in eu-central-1, API + workers on Fly Amsterdam. Optional AI assistant features (Anthropic) require explicit per-tenant opt-in plus an executed DPA — we refuse to make those calls in production until the flag is set.
What we've operationalized
Article 15 + 17 implemented
One-click full data export (JSON bundle) and erasure that scrubs free-text PII while preserving tax-required financial records.
Listed and disclosed
Every third-party that touches customer data is enumerated, with region and data-types.
See the list →NIS2-aligned playbook
Severity definitions, NCSC-NL 24/72/30-day notification timelines, customer disclosure template.
Per-column policy
7-year tax retention for financial fields. 90 days for sessions. Free-text PII scrubbed on erasure or 30 days after a user leaves.
Pinned, scanned, signed
Every GitHub Action pinned to a commit SHA. npm audit blocks merge on high+. Dependabot updates dependencies weekly.
Approval-gated production deploys
Manual approval required for prod deploys via the GitHub `production` environment. No deploys on red.
Roadmap, in the open
SOC 2 Type I
On requestType I evidence collection begins once we sign our first paying customer with a procurement bar that needs it. Type II follows ~6 months later.
SAML / OIDC SSO
EnterpriseEnterprise tier feature, scaffolded — flips on once a customer needs it.
BYOK encryption
EnterprisePer-tenant data encryption keys. Schema is in place; integration with KMS is wrapped behind the env flag.
Bug bounty
LiveCoordinated disclosure via security.txt + email. HackerOne if scale demands it.
NIS2 readiness
LiveIR playbook, supply-chain controls, and incident reporting timelines built to NIS2 from day one.
Pre-filed VAT (SAF-T)
BuildingNL first, with FR/DE/UK to follow as e-invoicing mandates land.
Found something?
Coordinated disclosure: report security issues to security@rexa.one. We acknowledge within one business day. Safe-harbor for good-faith research; no legal action for finding and disclosing in line with our security.txt policy.
Sub-processors
Every third-party that processes customer data is listed publicly with region and data type, per GDPR Art. 28.
See the list →