Security
How we protect your firm's data.
Reckonry holds time entries, invoice lines, and client lists pulled from your Karbon tenant. The controls below describe how that data is authenticated against, encrypted, hosted, logged, and shared with the handful of subprocessors that make the product work.
Authentication
Sign in with your work identity.
Reckonry has no password database. Everyone signs in through your existing identity provider, so the controls your IT team already enforces — MFA, conditional access, device posture, offboarding — apply to Reckonry on day one.
Provider
Google Workspace
OAuth 2.0 via Google. Sessions are JWT-backed and short-lived.
Provider
Microsoft Entra ID
OAuth 2.0 via Microsoft Entra (formerly Azure AD). Same session model.
MFA
Multi-factor authentication is inherited from your identity provider. If Google or Microsoft requires a second factor for a user, Reckonry does too — there is no separate Reckonry password to weaken that posture. For Reckonry's own support staff, write-mode access to a customer tenant requires an additional TOTP step beyond their SSO.
Encryption
Encrypted in transit and at rest.
In transit
TLS 1.2+
All traffic to app.reckonry.ai terminates on Google Cloud Run, which negotiates TLS for every connection. HTTP requests are redirected to HTTPS at the edge.
At rest
AES-256, Google-managed keys
Your firm's data lives in a managed PostgreSQL 16 instance on Google Cloud SQL, which encrypts every disk block with Google-managed AES keys before it is written.
Karbon credentials
Your Karbon access token is the most sensitive value Reckonry holds. It is stored under an additional layer of AES-256-GCM envelope encryption with a key versioned in Google Secret Manager, separate from the application database. Compromise of a database backup alone is not sufficient to decrypt it.
Hosting
Runs on Google Cloud, in the US.
Reckonry is a single deployment on Google Cloud Platform. There are no regional replicas: your data sits in one place, in one country, and is easy to point to during procurement reviews.
- Application runtime
- Google Cloud Run
- Database
- Google Cloud SQL · PostgreSQL 16
- Secrets
- Google Secret Manager
- Background jobs
- Google Cloud Tasks
- Region
- us-central1 · Council Bluffs, Iowa, USA
Tenant isolation is enforced at the database layer using PostgreSQL row-level security. Application code that queries customer data must first set the active tenant on the connection; rows from other tenants are simply not visible to the query.
Audit logs
You can see who touched your tenant.
Every firm has an audit log under settings. It is append-only: entries cannot be edited or deleted, even by Reckonry's own staff.
What is recorded
- Reckonry support starting, elevating to write mode, or ending a session against your tenant
- Support actions taken on your account: trial extensions, forced re-sync, Karbon credential reset
- Access-control rule changes made by your own firm admins
What you can do with it
- Filter by date range
- See actor email and the reason the operator entered
- Export the filtered view as CSV for your own retention
Audit entries are retained for the life of your tenancy. Row-level security on the underlying table guarantees that even if the application filter were removed, your firm's audit rows could not be returned to another tenant.
Data handling
What we store, and what leaves the database.
What Reckonry stores
- Your Karbon OAuth token (encrypted — see above)
- Time entries, work items, invoices, clients, contacts, and staff pulled from your Karbon tenant
- User profile fields returned by your SSO (email, name)
- Billing metadata (Stripe customer and subscription IDs — not card numbers)
- The audit log described above
What never leaves Reckonry
- Your client data is not sent to any third-party LLM. Reckonry's calculations are arithmetic on your numbers, not model inference over them.
- Card details never reach Reckonry — Stripe Checkout collects them directly.
- PostHog receives product-usage events and acquisition attribution only. Karbon data (time entries, invoices, client names) is never sent to it.
Subprocessors
Who else touches your data.
The full list of third-party services Reckonry uses to run the product. We notify customers in advance of any addition.
| Subprocessor | Purpose | Data shared | Region |
|---|---|---|---|
| Google Cloud Platform | Application hosting, database, secrets, background jobs | All customer data (production datastore) | us-central1 (Iowa, USA) |
| Karbon | Source of record for time, work, and invoice data | OAuth token; Reckonry reads time entries, work items, invoices, clients, contacts, staff | Karbon's own infrastructure |
| Stripe | Subscription billing and payment processing | Firm name, billing email, card details (collected directly by Stripe Checkout, never seen by Reckonry) | USA |
| Amazon SES | Transactional email (invitations, billing notifications) | Recipient email and rendered message body | us-east-1 (Virginia, USA) |
| PostHog | Product analytics and acquisition attribution | Event names, anonymized tenant ID, UTM parameters. No Karbon data, no client names. | US Cloud |
| Cloudflare | DNS and edge proxy for app.reckonry.ai | Request metadata (IP, user agent). TLS is re-terminated on Cloud Run. | Global edge |
Questions about any of the above, or need a signed DPA? Email [email protected].