GotReceiptsDocs
Go to App

Security

How we keep your data safe at GotReceipts.

On this page

Last updated: December 2025

Infrastructure

GotReceipts is hosted on Railway, a modern cloud platform with enterprise-grade security. Our infrastructure includes:

  • SOC 2 Type II compliant hosting environment
  • Automatic DDoS protection
  • Private networking between services
  • Automated security patches and updates
  • 99.9% uptime SLA

Data Protection

  • Encryption in transit - All connections use TLS 1.3. Your data is encrypted between your device and our servers.
  • Encryption at rest - Database storage is encrypted using AES-256. Your data is protected even at the storage level.
  • Secure file storage - Receipt images are stored on Cloudflare R2 with encryption at rest and signed URLs for access control.
  • Database backups - Automated daily backups with point-in-time recovery capabilities.

Authentication

We offer multiple secure authentication methods:

  • Passkeys (WebAuthn) - The most secure option. Uses biometrics (Face ID, Touch ID, Windows Hello) or hardware security keys. Phishing-resistant and no passwords to steal.
  • Email OTP - Time-limited 6-digit codes sent to your email. Codes expire after 10 minutes.
  • Magic Links - One-click sign-in links sent to your email. Single-use and time-limited.

We do not store passwords. All authentication is passwordless, eliminating the risk of password breaches.

Session Security

  • Sessions are bound to your device and expire automatically after inactivity
  • Session tokens are cryptographically secure random values
  • IP address and user agent are recorded for security monitoring
  • Signing out invalidates your session immediately

API Security

  • API keys are hashed before storage - we cannot see your full key
  • Rate limiting prevents abuse (1,000 requests per hour by default)
  • All API endpoints require authentication
  • CORS policies restrict which domains can make requests

Security Practices

  • Dependencies are regularly audited and updated
  • Environment secrets are stored securely and never committed to code
  • Principle of least privilege for all service access
  • Type-safe codebase reduces common vulnerability classes

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. Contact us at theomjones@gmail.com with details of the issue. We appreciate your help keeping GotReceipts secure.

Please do not:

  • Access or modify other users' data
  • Perform actions that could harm service availability
  • Publicly disclose the issue before we've had a chance to fix it

Questions? Get in touch.