Security

REPSShield handles sensitive financial documentation. Here is exactly how we protect it.

Data Encryption

At Rest

All user data — including time logs, calendar events, property records, and generated reports — is encrypted at rest using AES-256. Database encryption is applied at the storage layer, independent of application-level access controls.

In Transit

All data transmitted between your browser, our servers, and third-party integrations (Google, Microsoft) is encrypted using TLS 1.3. Connections using older TLS versions (1.0, 1.1) or weak cipher suites are rejected. HSTS is enforced with a one-year max-age header.

Calendar & Email Access

REPSShield connects to Google Calendar, Outlook 365, and Apple Calendar using OAuth 2.0. We request read-only scopes: REPSShield cannot create, modify, or delete your calendar events or emails. Your OAuth tokens are encrypted at rest and never exposed in logs or error messages. You can revoke access at any time from your Google, Microsoft, or Apple account settings.

Access Controls

Authentication

Passwords are hashed using bcrypt with a cost factor of 12. REPSShield supports two-factor authentication (TOTP). Session tokens are cryptographically random, stored in HttpOnly cookies with SameSite=Strict, and expire after 30 days of inactivity or on explicit logout.

Authorization

Every API request is authenticated and authorized at the row level. Your data is scoped to your account — no user can access another user's time logs, properties, or reports. Internal REPSShield staff access to production data requires multi-factor authentication and is logged with a named justification.

Infrastructure

REPSShield runs on cloud infrastructure with network-level firewalls that block all inbound traffic except HTTPS (443). Database servers are not directly accessible from the public internet. Deployments use short-lived credentials via IAM roles — no long-lived API keys are used in production.

Audit Logging

REPSShield maintains an append-only audit log for security-relevant events:

• Login attempts (successful and failed), IP address, timestamp
• OAuth connections and disconnections
• Data exports (who exported, which report, when)
• Account setting changes (email, password, 2FA)
• AI categorization overrides (which user changed which entry)
• Administrative access to production systems

Audit logs are immutable — they cannot be edited or deleted by application users or internal staff through normal operations. Logs are retained for a minimum of three years.

Data Retention & Deletion

Your data remains on REPSShield servers for as long as you maintain an account. If you cancel, you have 90 days to export your data before it is permanently deleted. To request immediate deletion, contact security@repsshield.com. Deletion is irreversible and includes all time logs, property records, generated reports, and calendar tokens.

Vulnerability Disclosure

If you discover a security vulnerability in REPSShield, please report it to security@repsshield.com. Include a description of the issue, steps to reproduce, and the potential impact. We will acknowledge receipt within 48 hours and provide a status update within 7 days. We do not pursue legal action against researchers who follow responsible disclosure practices.

Last updated: March 2026. Questions? Email security@repsshield.com.