Security at DebtRecoup

We protect your agency's data and your debtors' sensitive information with enterprise-grade security built into every layer of our platform.

TLS 1.3

Encryption in Transit

AES-256

Encryption at Rest

RBAC

Role-Based Access Control

99.9%

Uptime SLA

Our Security Framework

A multi-layered approach to keeping your data safe.

Data Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database fields containing sensitive debtor information (SSNs, account numbers) are individually encrypted at the application layer.

Authentication & MFA

Secure login with hashed and salted passwords (bcrypt). Multi-factor authentication (MFA) is supported and strongly recommended for all user accounts, including TOTP authenticator app support.

Role-Based Access Control

Granular RBAC ensures collectors, managers, and administrators only access the data and actions their role permits. Permissions are enforced server-side on every API request — never just at the UI layer.

Full Audit Logging

Every create, read, update, and delete action is recorded with a timestamp, user identity, and IP address. Audit logs are immutable and retained for a minimum of 12 months for compliance and forensic review.

Infrastructure Security

Hosted on SOC 2-compliant cloud infrastructure. Network traffic is isolated using VPCs and private subnets. Web Application Firewall (WAF) and DDoS protection are active on all public-facing endpoints.

Vulnerability Management

Automated dependency scanning on every build. Regular penetration testing performed. Critical patches are deployed within 48 hours of disclosure; standard patches follow a monthly release cycle.

Application-Level Protections

Security controls baked directly into the application and API.

Input Validation & Sanitisation
All user input is validated server-side using strict schema enforcement before being persisted or returned. Output is always HTML-escaped to prevent Cross-Site Scripting (XSS) attacks. Parameterised queries are used throughout to prevent SQL injection.
CSRF Protection
Cross-Site Request Forgery (CSRF) tokens are issued per session and validated on every state-changing request. SameSite cookie attributes are set to Strict to further mitigate cross-origin request risks.
API Rate Limiting & Throttling
All API endpoints are rate-limited per IP and per authenticated user to prevent brute-force and abuse. Login endpoints enforce exponential back-off after repeated failures and support account lockout policies configurable per organisation.
Secure Session Management
Session tokens are cryptographically random, rotated on privilege escalation, and invalidated server-side on logout. Idle sessions expire automatically after a configurable inactivity period. Concurrent session limits can be enforced per user role.
HTTP Security Headers
Every response includes Content-Security-Policy, Strict-Transport-Security (HSTS with preload), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers.
Tenant Data Isolation
Each agency operates in a fully isolated data partition. Tenant IDs are enforced at the database query level on every request — it is architecturally impossible for one tenant to access another tenant's records, even through misconfigured API calls.

Data Handling & Compliance

FDCPA Compliance Tooling

Built-in safeguards to help your agency stay aligned with Fair Debt Collection Practices Act requirements, including communication time restrictions and opt-out management.

Data Retention & Deletion

Configurable data retention policies allow you to define how long records are kept. Secure deletion wipes data from all storage tiers — including backups — within your configured retention window.

GDPR & CCPA Readiness

Tools for handling data subject access requests, consent management, and right-to-erasure workflows ensure you can meet your obligations under GDPR and CCPA regulations.

Automated Backups

Daily encrypted backups with point-in-time recovery capability. Backups are stored in geographically separate regions and tested regularly to guarantee recoverability.

Sub-processors & Third Parties

We maintain a current list of sub-processors and require all third-party vendors to meet our security baseline, including Data Processing Agreements (DPAs) where required by law.

  • Cloud hosting & managed database
  • Transactional email delivery
  • SMS & communication gateways
  • Payment processing (PCI-DSS Level 1 providers only)
  • Error monitoring & observability

Responsible Disclosure

We take every security report seriously. If you believe you have found a vulnerability in DebtRecoup, please report it to us privately so we can investigate and remediate before any public disclosure.

Report a Vulnerability

We aim to acknowledge all reports within 48 hours and provide a resolution timeline within 5 business days.

Security Questions?

Our team is available to answer questions about our security practices, provide documentation for your compliance reviews, or assist with procurement security questionnaires.

Contact Our Team