Security at RecoverPing

How we protect your Stripe data and your customers' data

Last updated: May 22, 2026

RecoverPing is a multi-tenant payment recovery platform. This page describes the technical and organizational controls we use to keep your account, Stripe connection, and end-customer data secure. For privacy rights and data collection details, see our privacy policy.

1. Data encryption

1.1 Encryption at rest

All application data is stored in encrypted databases with industry-standard encryption at rest. Sensitive credentials — including your Stripe connection tokens and optional custom email settings — are encrypted before storage. We never store your full Stripe secret key. Connection uses OAuth with scoped permissions only.

1.2 Encryption in transit

All traffic between your browser, our servers, webhooks, and integrated services uses TLS 1.2 or higher. This covers dashboard access, payment webhooks, message delivery, and internal service communication.

2. Authentication and access control

Account access supports:

  • Email and password
  • Magic link (passwordless) via email
  • Password reset

Sessions are token-based. Every dashboard request is authenticated before any of your data is returned. Background processes that handle webhooks and recovery jobs run with server-side credentials only — never exposed in the browser.

3. Multi-tenancy and data isolation

Each RecoverPing account is isolated from every other account. Your data — settings, recovery events, templates, and opt-out records — is accessible only within your account boundary.

Database-level access controls enforce this isolation. Automated processes that receive payment webhooks always scope operations to the correct account based on your connected Stripe account — never from client-supplied identifiers alone.

4. Stripe integration security

  • OAuth only — we do not require or persist your Stripe secret key. You authorize with minimum permissions needed for recovery.
  • Scoped access — read invoices and customers, create customer portal sessions. No broader write access than recovery requires.
  • Token lifecycle — connection tokens are encrypted at rest and refreshed automatically. You can revoke access anytime from your Stripe dashboard.
  • Webhook verification — all incoming payment events are cryptographically verified before processing.

5. SMS compliance

SMS messages to US mobile numbers follow carrier registration and compliance requirements. RecoverPing implements:

  • Automatic processing of opt-out keywords: STOP, UNSUBSCRIBE, CANCEL, END, QUIT, and others
  • Opt-in via START and related keywords
  • Per-account opt-out registry checked before every SMS send
  • Consent guidance for merchants at SMS consent example

6. Incident response and disclosure

We monitor application and infrastructure for anomalies and security-relevant issues. If we confirm a data breach affecting your account, we will notify affected customers within 72 hours with a description of the incident, data involved, and remediation steps.

Responsible disclosure: if you discover a security vulnerability, please report it to privacy@recoverping.com. Do not publicly disclose until we have had a reasonable time to investigate and fix. We acknowledge responsible reporters and work with them in good faith.

We do not currently operate a formal bug bounty program.

Questions about security?

Reach us at privacy@recoverping.com or use our contact form.