🛡️ Trust & Safety

Security at Remse

Your identity documents, messages, and money move through Remse every day. Here's exactly how we protect them.

📅 Last Reviewed: July 1, 2026  |  Version 1.0
1 Our Commitment

Remse connects travelers and relocators with agents who handle sensitive tasks — visas, housing, and payments — often before the two parties have ever met in person. That only works if the platform underneath is trustworthy. Security isn't a feature we bolt on; it shapes how every part of Remse, from escrow to messaging, is built.

This page explains the practical measures we take to protect your data and funds, in plain language. If you're a security researcher, see the Responsible Disclosure section for how to report a vulnerability.

2 Infrastructure & Hosting

Remse's backend runs on Google Cloud Platform and Firebase, with primary data centres in the eur3 region. We rely on Google's physical and network-level security rather than maintaining our own servers, which means our infrastructure inherits the same protections used by some of the largest platforms in the world.

  • Cloud Functions handle all sensitive business logic — including escrow and wallet operations — server-side, never on the client device
  • Firestore stores structured data behind security rules evaluated on every request
  • Cloud Storage holds KYC documents and uploaded files in access-restricted buckets
  • Automated backups and versioning protect against accidental data loss
3 Encryption

Data is encrypted both while it's moving and while it's stored:

🔐
In Transit

All traffic between the app, website, and our servers is encrypted using TLS/HTTPS. Unencrypted connections are rejected.

🗄️
At Rest

KYC documents and files sit in encrypted Google Cloud Storage buckets, encrypted by default at the infrastructure level.

🔑
Passwords

Account credentials are hashed and salted using Firebase Authentication — Remse never stores plaintext passwords.

📱
On Device

Session tokens are kept in secure local storage on your device, not in plain app storage.

4 Payment Security

Remse never stores your card details. All payment processing — wallet funding, withdrawals, and escrow — is handled by Paystack, a PCI DSS compliant payment provider used across Africa.

💰 How escrow protects your money: When you pay for a service, funds move into escrow — not directly to the agent. They're only released to the agent when you approve a completed milestone, or when a dispute is formally resolved in their favour.

Wallet balances and escrow amounts are tracked server-side through Cloud Functions, so a compromised device can't be used to alter your balance or trigger an unauthorised transfer.

5 Account Security & KYC

Every agent on Remse goes through identity verification (KYC) before they can list services or receive payments. This protects travelers from impersonation and fraudulent listings.

  • Government-issued ID and proof of address are required for agent verification
  • Verified agents display a badge visible throughout the app
  • Accounts showing suspicious activity (rapid location changes, mismatched device fingerprints, repeated failed logins) are automatically flagged for review
  • We strongly recommend enabling any available biometric lock (Face ID / fingerprint) on your device for an extra layer of protection
6 Access Control

Not every part of the platform is visible to every user — access is scoped tightly by role:

  • Firebase Security Rules enforce role-based access control on every database read and write
  • Custom claims-based authorization gates admin-only operations, separate from regular user permissions
  • Agents can only view data for clients actively engaged with them — not the full user base
  • Internal team access to production data is logged and limited to what's required for the task at hand
7 Testing & Audits

We treat security as an ongoing process rather than a one-time checklist:

Cloud Functions infrastructureRegular audits
Penetration testingPeriodic, third-party
Dependency & library scanningContinuous
Firestore security rulesReviewed on every release
8 Responsible Disclosure

If you're a security researcher and believe you've found a vulnerability in Remse's app, website, or backend, we want to hear from it before anyone else does. Please report it responsibly:

  • Email security@remse.app with a clear description and steps to reproduce
  • Give us a reasonable window to investigate and patch before any public disclosure
  • Do not access, modify, or delete data belonging to other users while testing
  • Do not run automated scanners against production systems without prior written permission
SeverityExamplesTypical Response Time
CriticalEscrow/wallet manipulation, auth bypass, remote code executionWithin 24 hours
HighAccess to another user's private data, privilege escalationWithin 72 hours
MediumBusiness logic flaws, insecure direct object referencesWithin 7 days
LowMissing security headers, minor information disclosureNext release cycle

We currently review disclosures on a case-by-case basis rather than running a formal paid bug bounty programme. Researchers who report valid, previously-unknown issues in good faith will be credited (with permission) once a fix ships.

9 Incident Response

If a security incident affecting user data or funds is confirmed, our process is:

  1. Contain the issue and stop ongoing exposure as the immediate priority
  2. Investigate scope — which accounts, data, or transactions were affected
  3. Notify affected users directly, with a clear explanation of what happened and what to do
  4. Notify relevant regulators where required under NDPR or applicable law
  5. Publish a post-incident summary once the investigation is complete

⚠️ Suspect a breach on your account? Email security@remse.app immediately. We investigate and respond to reported incidents within 24 hours.

10 Keeping Your Account Safe

Most account compromises happen outside our systems — through reused passwords or social engineering. A few habits go a long way:

🔒
Use a Unique Password

Never reuse your Remse password on another site. A password manager makes this easy.

👆
Enable Biometric Lock

Turn on Face ID or fingerprint lock in your device settings for an extra layer at the app level.

🚫
Never Share Credentials

Remse staff will never ask for your password. Treat any such request as a scam.

💬
Keep Payments In-App

Only pay through Remse's escrow system. Requests to pay an agent directly bypass your protection.

11 Compliance

Remse's security and data-handling practices are built around the following frameworks and requirements:

  • NDPR — Nigeria Data Protection Regulation
  • GDPR — for users located in the European Economic Area or United Kingdom
  • PCI DSS — inherited through our payment processor, Paystack, which handles all card data

For details on what data we collect and how it's used, see our Privacy Policy.

12 Contact Security Team

For vulnerability reports, suspected breaches, or general security questions, reach our team directly:

Security & Trust Team

We take every report seriously. Critical issues are acknowledged within 24 hours.

Vulnerability Reports & Incidents
security@remse.app
General Support
Contact Us →