Security

Receipts are sensitive.
We treat them that way.

A receipt is a record of what you bought, where, and how you paid for it. We treat it the way your bank treats a transaction: encrypted, scoped, and only retained as long as you say it should be.

Encryption in transit and at rest

All traffic to api.ripceipt.com and the dashboard runs over TLS 1.2+. Receipts and structured data are encrypted at rest in the database and in object storage. API keys are stored hashed.

Signed webhooks

Every webhook delivery is HMAC-SHA256 signed with a per-workspace secret and a timestamp. Verify the signature, reject anything outside a 5-minute window, and you have replay protection by default.

Three retention modes

Choose per workspace, override per upload. Retain everything (default), delete the original file after extraction, or delete both file and structured data once your webhook confirms receipt. Your retention policy, your call.

Workspaces and scoped keys

Every API key is scoped to a single workspace. Members get role-based access. Live and test keys are distinct, with separate webhook secrets so prod and dev never share signing material.

Sub-processors

The vendors that
touch your data.

We use a small set of vendors to deliver the product. Each one processes a specific category of data on our behalf and is bound by its own data processing terms. We update this list before adding new processors.

  • VercelWeb hosting and edge runtime
  • SupabasePostgres database, object storage, and auth
  • StripeSubscription billing and customer portal
  • AI providerVision-language extraction (configurable; current provider on request)

Found something?
Tell us first.

We publish a security.txt at the standard location with our contact and policy. We acknowledge reports within two business days and aim to triage within five. Please don't test against accounts that aren't yours, and don't exfiltrate data you don't need to demonstrate the issue.

Read security.txtsupport@ripceipt.com
Contact: mailto:support@ripceipt.com
Expires: 2027-04-30T00:00:00.000Z
Preferred-Languages: en
Canonical: https://ripceipt.com/.well-known/security.txt

Other contact channels →