-
Global Security and Compliance
Your security is our #1 priority and we take it seriously
At Recko, we handle critical financial data of your business. These include information about your processes, revenue, payment gateway information and merchant information. During these processes, we know the security of our system should be air-tight to provide you with a hassle-free experience. Our teams take preventive measures, adheres and keep up with the latest security and compliance practices across the globe.
Be assured that your data is very safe with us and no information will be passed to any third parties without your written consent. Read more about our Certification and Compliances.
-
Certifications and Compliance
PCI DSS [Audit by SISA]
The Payment Card Industry Data Security Standard is mandated by the PCI Security Standards Council. This security standard came into place to increase control around cardholder data and reduce credit card frauds. PCI DSS is applicable to all organizations that maintain, process, transfer or deal with sensitive cardholder data and preserve their confidentiality.
Recko makes sure that your transaction data is protected and sensitive information is handled in a safe and secure manner. We keep ourselves updated with the latest security standards, rules and best practices to provide you with a seamless and worry-free experience with our product.
ISO 27001:2013 Certification [Certifying body - British Standards Institution (BSI)]
ISO 27001:2013 is an international compliance standard recognized for managing security risks of the information being held. Being compliant with ISO 27001:2013, we at Recko, adopt a process for establishing, implementing, operating, maintaining and improving our ISMS. With the up-to-date ISMS system in place, you get the additional advantages of security best practices implemented across the business.We have been certified for ISO 27001 by the British Standards Institution (BSI), one of the most respected and well recognised certifying bodies in the world
To provide unbiased neutrality, certification is carried out by independent third-party auditors. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how Recko perpetually manages security in a holistic and comprehensive manner.
-
Encryption
Recko encrypts every attribute of our client data before it’s persisted in any of the storage instances.
Data-in-transit
All our communications at transit external or internal are done via secure and encrypted channels.
Data-at-rest
We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits and with a unique and proper encryption key rotation policy for each customer.
-
Data Privacy
Your data is secure in our platform. All the data you’ve uploaded can only be accessed by you. Other than which, there is no possible way to access any of your confidential data.
At our network layer, we use Firewall to protect your data from all possible threats. In addition, we have other solutions to detect Virus and Malware on the host systems. These include IDS (Intrusion Detection System) and IPS (Intrusion Prevention System).
All new vendors, assets and activities pertaining to processing financial data are subject to a review of privacy, security and compliance.
-
Software and Application Security
By default we enforce our customers to use multifactor authentication (MFA). We also make sure to enable the access to the endpoints via certain allowed IP’s. We have built out SSDLC (Security Software Development Lifecycle). The SSDLC framework is a process model that ensures that organizations build secure applications. A secure SSDLC process ensures that we’ve security assurance activities that entail design review, architecture analysis, code review, and penetration testing as an integral part of the developmental life cycle.
In addition, we perform static and dynamic source code analysis and vulnerability assessment/ penetration testing frequently. This ensures that the application identifies standard and advanced web application security vulnerabilities. This includes, improper input handling, weak-session management, insufficient authentication or authorization, detection of weak cryptographic algorithms.
At Recko we work with SISA and AppSecure to conduct independent internal and external network and application vulnerability assessments.
Infrastructure and Cloud SecurityWe perform quarterly independent penetration tests with established security firms on our infrastructure to stay ahead of all security issues. We constantly make sure to follow all the guidelines of the shared security responsibility model provided by our cloud providers.
We regularly monitor our activities via logs and practice threat-modelling processes on our AWS cloud resources.
-
Auto-Patching of Security Issues (Proactive)
Along with manual review and security audit, all services and systems are periodically checked for any newly discovered CVE’s. Patches are automatically applied as soon as the fix is present. In case any issues which are manually discovered we apply fixes on top priority.
-
Incident Response
We have incident response policies and procedures to address service availability, integrity, security, privacy and confidentiality issues.
-
Data Retention
Once the customer leaves the application all the data is deleted by default. The data being handled is completely in the control of our customer
-
Internal Policies and Education
We continuously train employees on the best security and coding practices, including how to identify social engineering, phishing scams, and hackers. Employees on teams who have access to customer data ( Engineering and product teams) undergo criminal history and credit background checks prior to employment. All employees sign a Privacy Safeguard Agreement outlining their responsibility in protecting customer data.
-
Responsible Disclosure
Recko, a Stripe company, takes the security and privacy of our systems seriously. We constantly ensure we're compliant with the best security practices to safeguard our customers' usage.
However, we do acknowledge that building the safest platform requires constant revision. Stripe maintains a public bug bounty program, with the assistance of HackerOne. Valid and in-scope reports might be eligible for a payment. Follow this link to submit a vulnerability. We will also work closely with you and have the issue addressed with urgency.
By submitting a security bug or vulnerability through HackerOne, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Stripe’s prior written approval.