Security

How we protect your data and keep Repsalio secure

1. Our Security Commitment

Repsalio is a B2B SaaS platform for sales network management. We understand that you trust us with sensitive business information, and we take that responsibility seriously.

Although based in Serbia, we voluntarily comply with GDPR and implement industry-standard security practices to protect your data.

2. Encryption

Data in Transit

  • All connections are encrypted using TLS 1.3
  • HTTPS is enforced on all pages
  • HTTP Strict Transport Security (HSTS) prevents downgrade attacks

Data at Rest

  • Database encryption provided by MongoDB Atlas (AES-256)
  • Session cookies encrypted using AES-256-GCM (Iron Session)
  • File storage encrypted at rest (Vercel Blob Storage)

Password Security

  • Passwords are never stored in plain text
  • We use bcrypt with 12 salt rounds for password hashing
  • Password reset tokens expire after 1 hour

3. Authentication & Access Control

Session Management

  • HTTP-only cookies prevent JavaScript access to session data
  • Secure flag ensures cookies are only sent over HTTPS
  • SameSite=Lax prevents CSRF attacks
  • User sessions expire after 30 days of inactivity
  • Admin sessions expire after 4 hours

Multi-Factor Authentication (MFA)

  • Optional TOTP-based MFA for all users
  • Mandatory MFA for admin accounts
  • Compatible with authenticator apps (Google Authenticator, Authy, etc.)

Role-Based Access Control

  • Separate roles: Agent, Company, Admin
  • Users can only access their own data
  • Companies can only see applications to their jobs
  • Admin access requires additional authentication

4. Infrastructure Security

Hosting

  • Application: Vercel Edge Network with automatic DDoS protection
  • Database: MongoDB Atlas M10 cluster in EU (Frankfurt)
  • File Storage: Vercel Blob Storage with CDN

Network Security

  • DDoS protection at the edge
  • Web Application Firewall (WAF) rules
  • IP-based rate limiting via Upstash Redis
  • Geographic distribution for resilience

Bot Protection

  • Cloudflare Turnstile on login and registration forms
  • Rate limiting on sensitive endpoints
  • Automated abuse detection

5. Application Security

Protection Against Common Attacks

  • Cross-Site Request Forgery (CSRF): Protected by SameSite cookies and token validation
  • Cross-Site Scripting (XSS): Input sanitization and Content Security Policy
  • SQL Injection: Not applicable (NoSQL database with parameterized queries)
  • NoSQL Injection: Input validation and sanitization on all database queries

Email Verification

  • Email verification required for new accounts
  • Verification tokens expire after 24 hours
  • Secure, unique tokens prevent enumeration attacks

6. Compliance & Data Protection

  • GDPR: Voluntary compliance with EU data protection regulations
  • Data Processing Agreements: In place with all sub-processors
  • Data Retention: Clear policies for data retention and deletion
  • User Rights: Tools for data export, correction, and deletion

For more information, see our Privacy Policy and GDPR page.

7. Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

How to Report

Email: office@repsalio.com

Subject: Security Vulnerability Report

Response: We aim to acknowledge reports within 48 hours

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (optional)

Our Commitment

  • We will not take legal action against good-faith security researchers
  • We will work with you to understand and resolve the issue
  • We will credit reporters (if desired) after the issue is fixed

8. Questions?

If you have questions about our security practices, please contact us at office@repsalio.com.

Security - Repsalio