Trust & Security

How we handle your data and run the platform.

This page is maintained by ReconSight to answer common security and privacy questions about the ReconSight IFRS 9 platform. It describes controls that are currently enabled in the application and is not an independent certification or audit attestation.

Last reviewed: July 2026.

0
Control domains covered
0
Enforced access roles
0%
Tenant-scoped by RLS
0
Data-quality rules per channel
01 · Access & authentication

Authentication and tenant isolation

ReconSight uses managed authentication with email/password and Google sign-in. Sessions are JWT-based and validated server-side on every protected request. Application data is partitioned by tenant and protected with row-level security policies that scope reads and writes to the tenant the user is a current member of. Role-based access (admin, analyst, viewer) is enforced server-side, not by the browser.

02 · Platform & hosting

Hosting and platform context

The application runs on the Lovable platform (frontend and server functions) with a managed PostgreSQL backend. Traffic is served over HTTPS with HSTS and standard security response headers (X-Content-Type-Options, Referrer-Policy, Permissions-Policy). This is a factual description of enabled platform capabilities and is not an independent certification.

03 · Data we collect

What data ReconSight processes

ReconSight processes loan portfolio data that customers upload or stream through configured connectors (account, balance, collateral and payment records under the RDM canonical model), plus the minimum account information required to operate user logins. Personal data of borrowers is not required for the IFRS 9 engine to function; customers control what fields they submit.

04 · Subprocessors & integrations

Subprocessors and integrations

ReconSight relies on a small number of subprocessors to deliver the service, including the hosting and database platform and transactional email delivery. The current subprocessor list is maintained by ReconSight and available on request from temur@reconsight.io.

05 · Encryption & secrets

Encryption and secret handling

Data is encrypted in transit using TLS. Database credentials, service-role keys and connector secrets are stored in the platform's secret manager and are never embedded in the client bundle. Privileged keys are used only inside server-side admin paths.

06 · Retention & deletion

Retention and deletion

Customer portfolio data, run results and audit events are retained for the duration of the subscription. On termination, customers may request export and deletion of tenant data. Specific retention windows and deletion timelines are agreed in the service contract — contact us for the wording that applies to your tenant.

07 · Audit trail & governance

Audit trail and maker-checker

Governed writes — overlay approvals, run executions, calibration changes — are recorded in an append-only audit log via a security-definer function. Overlays follow a maker-checker flow: the user who creates an overlay cannot approve their own request.

08 · Privacy requests

Privacy requests

Requests related to access, correction, export or deletion of personal data tied to a user account can be sent to temur@reconsight.io. Requests covering borrower-level data inside a tenant are handled by the tenant administrator, since ReconSight processes that data on the customer's behalf.

09 · Incident & vulnerability reporting

Security contact and vulnerability reporting

To report a suspected security issue or vulnerability, email temur@reconsight.io with a description and steps to reproduce. We acknowledge reports as soon as practical and coordinate on a fix and disclosure timeline. Please do not test against production tenants you do not own.

10 · Shared responsibility

Shared responsibility

ReconSight operates the application, the IFRS 9 engine and the platform integrations described above. The underlying hosting and database platform provides the infrastructure controls. Customers remain responsible for managing their users and roles, the data they choose to upload, and their own regulatory obligations under IFRS 9 and applicable privacy law.