Security at DebtRecoup
We protect your agency's data and your debtors' sensitive information with enterprise-grade security built into every layer of our platform.
TLS 1.3
Encryption in Transit
AES-256
Encryption at Rest
RBAC
Role-Based Access Control
99.9%
Uptime SLA
Our Security Framework
A multi-layered approach to keeping your data safe.
Data Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database fields containing sensitive debtor information (SSNs, account numbers) are individually encrypted at the application layer.
Authentication & MFA
Secure login with hashed and salted passwords (bcrypt). Multi-factor authentication (MFA) is supported and strongly recommended for all user accounts, including TOTP authenticator app support.
Role-Based Access Control
Granular RBAC ensures collectors, managers, and administrators only access the data and actions their role permits. Permissions are enforced server-side on every API request — never just at the UI layer.
Full Audit Logging
Every create, read, update, and delete action is recorded with a timestamp, user identity, and IP address. Audit logs are immutable and retained for a minimum of 12 months for compliance and forensic review.
Infrastructure Security
Hosted on SOC 2-compliant cloud infrastructure. Network traffic is isolated using VPCs and private subnets. Web Application Firewall (WAF) and DDoS protection are active on all public-facing endpoints.
Vulnerability Management
Automated dependency scanning on every build. Regular penetration testing performed. Critical patches are deployed within 48 hours of disclosure; standard patches follow a monthly release cycle.
Application-Level Protections
Security controls baked directly into the application and API.
Input Validation & Sanitisation
CSRF Protection
Strict to further mitigate cross-origin request risks.
API Rate Limiting & Throttling
Secure Session Management
HTTP Security Headers
Content-Security-Policy, Strict-Transport-Security (HSTS with preload), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers.
Tenant Data Isolation
Data Handling & Compliance
FDCPA Compliance Tooling
Built-in safeguards to help your agency stay aligned with Fair Debt Collection Practices Act requirements, including communication time restrictions and opt-out management.
Data Retention & Deletion
Configurable data retention policies allow you to define how long records are kept. Secure deletion wipes data from all storage tiers — including backups — within your configured retention window.
GDPR & CCPA Readiness
Tools for handling data subject access requests, consent management, and right-to-erasure workflows ensure you can meet your obligations under GDPR and CCPA regulations.
Automated Backups
Daily encrypted backups with point-in-time recovery capability. Backups are stored in geographically separate regions and tested regularly to guarantee recoverability.
Sub-processors & Third Parties
We maintain a current list of sub-processors and require all third-party vendors to meet our security baseline, including Data Processing Agreements (DPAs) where required by law.
- Cloud hosting & managed database
- Transactional email delivery
- SMS & communication gateways
- Payment processing (PCI-DSS Level 1 providers only)
- Error monitoring & observability
Responsible Disclosure
We take every security report seriously. If you believe you have found a vulnerability in DebtRecoup, please report it to us privately so we can investigate and remediate before any public disclosure.
Report a VulnerabilityWe aim to acknowledge all reports within 48 hours and provide a resolution timeline within 5 business days.
Security Questions?
Our team is available to answer questions about our security practices, provide documentation for your compliance reviews, or assist with procurement security questionnaires.
Contact Our Team