Security at Reckon

Last updated: 23 April 2026

Reckon is operated by Carrotly Pte. Ltd. in Singapore. Our customers trust us with access to their Notion workspaces, so security is a first-class part of how the product is built. This page summarises our technical and organisational measures.

What we protect

We protect three things: your OAuth credentials, your account metadata (email, device tokens), and the operational logs that prove the service is running correctly. Your task content stays in Notion — Reckon proxies API calls and does not persist task data.

Encryption

• In transit: all traffic between clients (iOS, web) and our backend uses TLS 1.2 or higher with modern cipher suites. HTTP Strict Transport Security (HSTS) is enabled with a two-year max-age and includeSubDomains.
• At rest: Notion OAuth access and refresh tokens are encrypted with AES-256-GCM before being written to the database. The encryption key is held in a secret manager and rotated on a documented schedule.
• Backups: database backups are encrypted, retained for 30 days, and expire automatically.

Access control

• Production systems are accessed via short-lived, MFA-protected credentials. Standing long-lived credentials are not used.
• Application-level authorisation enforces a per-device JWT scope. A device can only act on the workspace it was authorised against during OAuth.
• We log all production access for audit. Logs do not contain task content, OAuth tokens, or request bodies.

Application security

• All API inputs are validated with Zod schemas at the route boundary. Inputs that do not parse are rejected before any side effects.
• The Notion webhook endpoint verifies an HMAC-SHA256 signature on every request and rejects mismatches with a 401.
• OAuth flows use a Redis-stored CSRF state nonce with single-use semantics.
• The Notion mutation proxy is rate-limited per workspace to protect the upstream API and to defend against abuse.
• Security headers (HSTS, X-Content-Type-Options, X-Frame-Options: DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy that denies camera, microphone, and geolocation) are applied to every route.
• Dependencies are scanned automatically; security-critical updates are prioritised.

Hosting and data residency

• The web service runs on Vercel. The database (PostgreSQL) and cache (Redis) run on Microsoft Azure in the Singapore region.
• Crash reports are sent to Sentry (USA) after scrubbing personal identifiers and task content.
• Product-usage analytics are sent to PostHog (USA, EU) keyed to a random device ID.
• A current list of sub-processors is published at /sub-processors.

Incident response

We monitor service health and security events continuously. In the event of a personal data breach that is likely to result in significant harm we will (a) notify the Personal Data Protection Commission of Singapore within 3 calendar days of our assessment under the PDPA, and (b) notify the competent supervisory authority within 72 hours and affected individuals without undue delay under GDPR Articles 33 and 34.

Responsible disclosure

If you believe you have found a vulnerability in Reckon, please email hello@usereckon.com with the subject line "Security disclosure" and a description that lets us reproduce the issue. We commit to:

• Acknowledging your report within 3 business days
• Providing an initial assessment within 10 business days
• Keeping you informed about remediation and not taking legal action against good-faith researchers who follow this process

Please do not access data that is not yours, do not run automated scans that degrade the service, and give us reasonable time to fix the issue before public disclosure.

Compliance

Reckon is designed to comply with Singapore's PDPA, the EU and UK GDPR, and the California CCPA/CPRA. We do not currently hold a third-party security certification (such as SOC 2 or ISO 27001). Where business customers require a security questionnaire or a Data Processing Addendum, see /dpa or contact us.

Contact

Security questions: hello@usereckon.com.