​
Security Overview

Reevit is built with security as a foundational principle. As a payment orchestration platform handling sensitive financial data, we employ industry-standard security practices to protect your data and your customers’ information.

​
πŸ” Data Encryption

​
Encryption in Transit

All data transmitted to and from Reevit is encrypted using TLS 1.3 (Transport Layer Security). This ensures that:
  • All API communications use HTTPS with modern cipher suites
  • Webhook deliveries are encrypted end-to-end
  • No sensitive data is ever transmitted in plain text
# All Reevit endpoints require TLS 1.2+
curl -https://api.reevit.io/v1/payments

​
Encryption at Rest

Sensitive data stored by Reevit is encrypted using AES-256-GCM:
OperationLatencyMemoryAllocations
Encrypt~957 ns/op1.7 KB8 allocs
Decrypt~647 ns/op1.5 KB5 allocs
Round Trip~1.5 ΞΌs/op3.2 KB13 allocs
  • PSP Credentials: API keys, secrets, and tokens are encrypted before storage
  • Payment Metadata: Customer PII is encrypted at rest
  • Database Encryption: All database volumes use full-disk encryption
Credential encryption uses envelope encryption with hardware-backed key management (AWS KMS support).
Performance: AES-256-GCM encryption adds minimal latency (~1.5ΞΌs) to credential operations, ensuring security without impacting payment processing speed.

​
πŸ”‘ Credential Management (BYOK)

Reevit operates on a Bring Your Own Key (BYOK) model. Your payment provider credentials are:
  1. Never shared with other organizations
  2. Encrypted at rest using AES-256
  3. Accessed only during payment processing
  4. Never logged in plain text

​
Credential Storage

When you create a Connection, your credentials are:
  1. Transmitted over TLS to Reevit
  2. Encrypted immediately upon receipt using your organization’s encryption key
  3. Stored in a dedicated secrets vault with hardware security module (HSM) protection
  4. Decrypted only when processing payments for your organization

​
Supported Credential Formats

ProviderRequired Credentials
Paystacksecret_key
Hubtelclient_id, client_secret, merchant_account
Flutterwavesecret_key
MonnifyapiKey, contractCode
M-Pesaconsumer_key, consumer_secret, passkey, short_code
Stripesecret_key (or sk_live, sk_test)
Credential Aliases: Reevit accepts multiple key names for flexibility (e.g., secretKey or secret_key for Paystack).

​
πŸ›‘οΈ Webhook Security

Reevit verifies all incoming webhooks from payment providers to prevent spoofing attacks.

​
Signature Verification

Each provider uses its own signature mechanism:
ProviderVerification MethodAlgorithm
PaystackHMAC-SHA512 signature in x-paystack-signature headerSHA-512
HubtelHMAC-SHA256 signature in hubtel-signature headerSHA-256
FlutterwaveHMAC-SHA256 signature in verifier-hash headerSHA-256
StripeEd25519 signature in Stripe-Signature headerEd25519
M-PesaOAuth token + signature verificationSHA-256

​
Webhook Secrets

For Stripe, store your webhook signing secret in connection credentials: 
await reevit.connections.create({
  provider: "stripe",
  credentials: {
    secret_key: "sk_live_...",
    stripe_webhook_secret: "whsec_..."  // Required for webhook verification
  }
});
Always verify webhook signatures: Never process a webhook without signature verification. Reevit rejects all unverified webhooks.

​
πŸ›‘οΈ HTTP Security Headers

All Reevit API responses include security headers to protect against common web vulnerabilities:
HeaderValuePurpose
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preloadEnforces HTTPS for 1 year
X-Content-Type-OptionsnosniffPrevents MIME type sniffing
X-Frame-OptionsDENYPrevents clickjacking attacks
X-XSS-Protection1; mode=blockXSS filter for older browsers
Referrer-Policystrict-origin-when-cross-originControls referrer information
Content-Security-Policydefault-src β€˜none’; frame-ancestors β€˜none’API response CSP
Permissions-Policygeolocation=(), microphone=(), camera=()Restricts browser features
Performance: Security headers add negligible overhead to all responses.

​
πŸ”’ API Authentication

​
API Keys

Reevit uses API keys for authentication. Keys are scoped to organizations and can have specific permission scopes.
Key TypePurposeScope
Live Keys (pfk_live_...secret)Production paymentsAll operations
Test Keys (pfk_test_...secret)Development & testingRead-only for some endpoints

​
Authentication Scopes

API keys can be restricted to specific scopes:
ScopeDescription
payments:readView payment history
payments:writeCreate and manage payments
connections:readView PSP connections
connections:writeCreate/update connections
webhooks:readView webhook logs
webhooks:writeConfigure webhooks

​
Password Hashing

User passwords are hashed using Argon2id (winner of the Password Hashing Competition):
OperationTimeMemory
Hash~11.4 ms16.8 MB
Verify~11.2 ms16.8 MB
Argon2id provides strong resistance against GPU-based and ASIC attacks while maintaining reasonable performance for authentication flows.
Security: Argon2id with 16.8 MB memory usage provides excellent protection against brute-force attacks, even on hardware with significant computational power.

​
Rate Limiting

Reevit implements rate limiting to prevent abuse:
PlanRequests/minuteBurstLatency
Free6010~2 ΞΌs
Pro30050~2 ΞΌs
Enterprise1000+Custom~2 ΞΌs
Performance: In-memory rate limiting adds only ~2ΞΌs overhead per request. Redis-based distributed rate limiting is available for multi-instance deployments.

​
πŸ“‹ Audit Logging

All sensitive operations are logged with:
  • Timestamp: ISO 8601 formatted
  • Actor: User/service that performed the action
  • Action: What operation was performed
  • Resource: Affected entity (e.g., connection ID)
  • Result: Success/failure with error details

​
Logged Events

CategoryEvents
ConnectionsCreate, update, delete, test
PaymentsCreate, confirm, refund, cancel
WebhooksDelivery attempts, failures
AuthenticationLogin, key creation, key revocation
Audit logs are retained for 24 months and are immutable.
Audit Access: Enterprise plans can export audit logs via API for compliance reporting.

​
🏒 Compliance

​
PCI DSS

Reevit is designed to help you maintain PCI DSS compliance:
  • SAQ A Eligible: If you use Reevit Checkout or Payment Links, you may be eligible for SAQ A
  • No Card Storage: Reevit never stores raw card numbers
  • Tokenized Data: Card references are PSP-managed tokens
Your Responsibility: You must ensure your integration follows PCI guidelines. Use our hosted payment pages when possible to minimize scope.

​
Data Residency

By default, data is processed in EU-West (Ireland). Enterprise customers can request data residency in:
  • EU: Ireland (default)
  • US: Virginia
  • APAC: Singapore

​
Data Retention

Data TypeRetention Period
Payment records7 years (regulatory requirement)
Audit logs24 months
Webhook logs90 days
Temporary logs7 days

​
πŸ› οΈ Security Best Practices

​
For Your Application

  1. Never expose API keys in client-side code 
    // ❌ Wrong - exposes key to browser
const client = new Reevit('pfk_live_xxx.secret', 'org_123');

// βœ… Correct - use server-side only
const client = new Reevit(
  process.env.REEVIT_API_KEY!,
  process.env.REEVIT_ORG_ID!
);
  2. Use webhooks for payment confirmation 
    // ❌ Never trust client-side success
if (payment.status === 'succeeded') fulfillOrder();

// βœ… Always verify via webhook
app.post('/webhooks/reevit', async (req, res) => {
  if (verifySignature(req)) {
    if (req.body.event === 'payment.succeeded') {
      fulfillOrder(req.body.data.payment_id);
    }
  }
});
  3. Implement idempotency 
    curl -X POST https://api.reevit.io/v1/payments/intents \
  -H "X-Reevit-Key: pfk_live_xxx.secret" \
  -H "X-Org-Id: org_123" \
  -H "Idempotency-Key: order_12345" \
  -H "Content-Type: application/json" \
  -d '{"amount": 5000, "currency": "GHS", "method": "mobile_money", "country": "GH"}'
  4. Validate webhooks on your server 
    const signature = req.headers['x-reevit-signature'];
if (!verifyWebhookSignature(signature, body, webhookSecret)) {
  return res.status(401).send('Invalid signature');
}

​
For Your PSP Connections

  1. Use separate credentials per environment 
    // Development
await reevit.connections.create({
  provider: 'paystack',
  mode: 'sandbox',
  credentials: { secret_key: 'sk_test_...' }
});

// Production
await reevit.connections.create({
  provider: 'paystack',
  mode: 'live',
  credentials: { secret_key: 'sk_live_...' }
});
  2. Enable connection health monitoring
    • Reevit automatically tracks success rates and latency
    • Configure alerts for degraded connections
  3. Use labels for organization 
    await reevit.connections.create({
  provider: 'stripe',
  labels: ['production', 'cards-primary', 'eu'],
  routing_hints: { priority: 'primary' }
});

​
🚨 Incident Response

​
Security Monitoring

Reevit maintains 24/7 security monitoring with:
  • Intrusion Detection: Automated anomaly detection
  • DDoS Protection: Cloudflare-based mitigation
  • Vulnerability Scanning: Regular automated scans

​
Reporting Security Issues

If you discover a security vulnerability:
  1. Do not disclose publicly
  2. Email security@reevit.io with details
  3. Expect response within 24 hours
Responsible Disclosure: We appreciate responsible vulnerability reporting and will work with you to resolve issues quickly.

​
πŸ“š Benchmark Methodology

Security benchmarks were run on Apple M1 Max (arm64) with the following configuration:
  • Encryption: AES-256-GCM with 32-byte keys
  • Password Hashing: Argon2id with 16.8 MB memory, 1 iteration
  • Rate Limiting: Sliding window algorithm with in-memory storage
  • HTTPS Headers: Chi middleware with Go 1.25
All benchmarks represent median performance over 10+ runs.
Note: Actual performance may vary based on hardware, load, and network conditions. Benchmarks are indicative of security implementation efficiency.

​
πŸ“š Related Resources

Connections

Securely manage your PSP credentials with BYOK.

Webhooks

Secure webhook handling and signature verification.

Authentication

API key management and access scopes.

Audit Logs

API endpoints for accessing audit and security logs.