How we keep your money and your data safe.

Card numbers, CVV and expiry are tokenised by our PCI-DSS Level 1 issuing partner. Recavo systems never store, process, or transmit raw PAN data. Cardholder views in our web and mobile apps render card details from the partner's tokenised vault on demand, over a customer-authenticated session.

This minimises Recavo's PCI-DSS scope to SAQ-A. We complete an annual self-assessment and maintain it as part of our compliance programme.

All web sessions require email-and-password with optional TOTP. SCA-compliant 3DS is applied to every web card transaction. Internally, role-based access controls determine which finance, admin or cardholder actions a given user can perform, and every privileged action is written to an immutable audit log.

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Each tenant's data is logically isolated, with per-tenant encryption keys for sensitive fields. We process personal data as a controller for our customer relationship and as a processor for cardholder data, in line with UK GDPR.

Recavo runs on hardened cloud infrastructure in UK and EU regions. Production access is restricted to a small on-call group and gated by SSO, hardware-key MFA, and just-in-time approval. We deploy with reproducible builds and a documented change management process.

Customer funds are held in safeguarded accounts with a regulated UK credit institution, segregated from Recavo's operating funds. We do not lend, invest, or earn interest on customer balances.

We operate a 24/7 on-call rotation. Security incidents follow a documented playbook with defined detection, containment, eradication and customer-notification phases. Material incidents are reported to affected customers and, where applicable, to the ICO within statutory timelines.

If you believe you've found a security issue, please email security@recavo.com. We acknowledge reports within one business day and aim to triage within five. Please give us a reasonable opportunity to remediate before public disclosure.