Security
Built to be trusted with your money records.
Rekava handles sensitive financial data. Security is designed into the platform, not added afterwards — here's how.
Encryption in transit
All traffic runs over HTTPS/TLS. Production responses send HSTS and a strict set of security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy and more).
Strong authentication
Passwords are stored only as bcrypt hashes (cost factor 12), never in plain text. Optional two-factor authentication (TOTP) with single-use backup codes adds a second layer.
Account protection
Repeated failed logins trigger a temporary lockout. Login responses are constant-time to prevent account enumeration, and changing a password instantly invalidates every existing session.
Isolation & access control
Every record is scoped to its business and enforced at the API, not just hidden in the UI. Role-based permissions (Owner, Admin, Accountant, Staff, Viewer) gate sensitive actions.
Tamper-proof audit log
Every write is logged with the actor, timestamp and IP. Database-level constraints block edits and deletes on the audit log — even an Owner cannot rewrite history.
Abuse & input defence
Per-IP rate limiting protects auth and API endpoints. All input is validated against strict schemas, and unknown fields are rejected before they reach the database.
Payment data
Card and Mobile Money credentials are handled by our payment processor, Paystack — a PCI-DSS compliant provider. Rekava never sees or stores full card numbers. We store only transaction references, amounts, and channels needed for reconciliation.
Reporting a vulnerability
If you believe you’ve found a security issue, please email security@rekava.africa. Give us a clear description and steps to reproduce. We investigate every report and will not pursue action against good-faith research.