Platform
Security & Data Handling
RecurCite is designed to collect only the evidence needed to win disputes — not to be a surveillance tool. This page covers what we store, how we protect it, and what we reject.
What we collect
RecurCite stores the minimum data necessary to build compelling evidence Packets. Every piece of data has a specific purpose in dispute response.
| Data type | Examples | Purpose |
|---|---|---|
| Timestamps | Login times, purchase dates, cancellation dates | Prove when actions occurred relative to the dispute |
| Counters | Feature usage counts, login frequency | Demonstrate active product usage |
| Identifiers | Terms version, feature keys, ticket IDs | Reference specific policies and interactions |
| Hashed emails | SHA-256 hex digests | Match customers without storing raw emails |
| Dispute snapshots | Stripe dispute objects (amount, reason, dates) | Dispute context for evidence assembly |
What we reject
The API enforces strict schemas and will reject any event containing prohibited data types. This is validated server-side — you cannot bypass it.
- Raw email addresses — use
email_sha256instead - Content payloads — no message bodies, chat logs, or document content
- Sensitive PII — SSNs, credit card numbers, government IDs
- Authentication credentials — passwords, tokens, secrets
Note
If you attempt to send a payload with prohibited fields, the API returns a 400 error with a clear message about which field was rejected and why.
Encryption at rest
All sensitive data is encrypted at rest using industry-standard algorithms:
| Data | Algorithm | Details |
|---|---|---|
| Stripe access tokens | AES-256-GCM | Encrypted with a 256-bit key; unique IV per token; authenticated encryption prevents tampering |
| API keys | SHA-256 | Stored as one-way hashes; raw key shown only once at creation |
| Database | TLS in transit | All database connections use TLS; provider-level encryption at rest |
HMAC signing
For tamper-proof evidence, enable HMAC signing in the SDK. When enabled, every request includes an X-Recurcite-Signature header that the server verifies.
const recurcite = init({
apiKey: process.env.RECURCITE_API_KEY!,
signingSecret: process.env.RECURCITE_SIGNING_SECRET,
});
// All track() calls now include a verified signatureEvents with verified HMAC signatures carry more weight in evidence Packets because they prove the data was not modified after creation. This is especially valuable for high-stakes disputes.
Tip
We strongly recommend enabling HMAC signing in production. It takes one line of config and significantly strengthens your evidence.
Tenant isolation
Every database query in RecurCite is scoped to the authenticated organization. There is no way to access another organization's data — even at the database level, all queries include an organizationId filter.
- All API routes validate the requesting organization before returning data
- Evidence events are partitioned by organization
- Stripe webhook processing verifies the connected account matches the organization
- PDF storage keys include the organization ID for bucket-level isolation
Audit logging
RecurCite maintains an append-only audit log for all critical operations. Every action that creates, modifies, or accesses sensitive data is recorded with:
- Who — the user and organization that performed the action
- What — the specific action (e.g.
dispute.submitted,api_key.created) - When — timestamp of the action
- Metadata — relevant context (dispute ID, IP address, etc.)
View your audit log in Dashboard → Audit Log.
Data retention
- Evidence events — retained for the lifetime of your account
- Dispute snapshots — append-only and immutable; retained indefinitely
- Generated PDFs — cached in S3-compatible storage with signed URLs (5-minute expiry)
- Audit entries — retained indefinitely; cannot be deleted
- Account deletion — upon request, all organization data is permanently deleted within 30 days
Submission security
When RecurCite submits evidence to Stripe on your behalf:
- Your Stripe access token is decrypted from AES-256-GCM only at submission time
- The token is used for a single API call and never logged or cached in plaintext
- Every submission attempt is recorded in an append-only submission log with the full request/response
- Idempotency keys prevent duplicate submissions
Responsible disclosure
If you discover a security vulnerability, please report it to security@recurcite.com. We take all reports seriously and will respond within 48 hours.
Next steps
- SDK → HMAC Signing — enable tamper-proof evidence
- Event Reference → Privacy Rules — what data to send and what to avoid