Security at Recover
We handle failed payment data with the same care you'd expect from your bank. Here is exactly how.
Webhook verification
Every Stripe event is verified using HMAC-SHA256 before any processing begins. We use Stripe's official library to construct and validate the signature against your webhook signing secret. Events that fail verification are rejected with a 400 and never processed.
// Verifying a Stripe webhook in Node.js
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
app.post('/webhook', express.raw({type: 'application/json'}), (req, res) => {
const sig = req.headers['stripe-signature'];
let event;
try {
event = stripe.webhooks.constructEvent(
req.body,
sig,
process.env.STRIPE_WEBHOOK_SECRET
);
} catch (err) {
return res.status(400).send(`Webhook Error: ${err.message}`);
}
// Event is verified. Process it.
res.json({received: true});
});
Recover implements the same pattern on the server side. Your signing secret never leaves your Stripe dashboard and is stored encrypted in our environment, never logged.
No card data, ever
We never see or store raw card numbers. All payment processing happens via Stripe's PCI-certified infrastructure. Recover processes only what Stripe sends us in webhook events, which contains no sensitive card data.
Card updates happen via Stripe's Billing Portal, which is hosted entirely on Stripe's infrastructure. Your customers' card details go directly to Stripe and never touch our servers.
What Recover receives
- Customer email address
- Stripe subscription ID
- Invoice amount
- Stripe decline code
- Invoice and customer IDs
What Recover never receives
- Card numbers
- CVV / CVC codes
- Card expiration dates
- Billing addresses
- Bank account details
Email data retention
Customer email addresses are retained for the duration of the active dunning sequence plus 90 days, then purged. We do not use customer emails for any purpose other than sending the dunning sequence on behalf of the merchant. No marketing. No sharing. No analytics on individual email addresses.
Encryption
Data at rest is encrypted with AES-256. All data in transit uses TLS 1.3. Payment update page tokens are 128-bit cryptographically random values generated via crypto.randomUUID(), unique per invoice, and expire after 7 days.
PCI scope
Recover is not in PCI scope. We use Stripe's Billing Portal for all card updates. We never handle card data directly. Your customers update their payment method on Stripe's PCI-certified infrastructure, and Stripe takes full responsibility for cardholder data security in that flow.
As a merchant using Recover, you remain responsible for your own PCI compliance posture, but our integration adds no new cardholder data environment (CDE) to your stack.
GAUNTLET adversarial audit
Recover passed a full adversarial security audit (GAUNTLET-1) before launch. The audit covered six attack personas across SQL injection, insecure direct object reference (IDOR), authentication gaps, cross-site scripting (XSS), and hardcoded secrets. All findings were resolved before the SHIP verdict was issued. The audit is re-run after every significant change to the authentication or webhook handling code paths.
Infrastructure
No third-party analytics tools have access to webhook event data. PostHog is used only for page-level analytics on marketing pages (fourthngoal.ai) with no connection to your Stripe data.
Responsible disclosure
Report security vulnerabilities to security@fourthngoal.ai. We respond within 24 hours and will coordinate responsible disclosure with you before any public release. We do not pursue legal action against researchers who report vulnerabilities in good faith.