Your identity documents, messages, and money move through Remse every day. Here's exactly how we protect them.
Remse connects travelers and relocators with agents who handle sensitive tasks — visas, housing, and payments — often before the two parties have ever met in person. That only works if the platform underneath is trustworthy. Security isn't a feature we bolt on; it shapes how every part of Remse, from escrow to messaging, is built.
This page explains the practical measures we take to protect your data and funds, in plain language. If you're a security researcher, see the Responsible Disclosure section for how to report a vulnerability.
Remse's backend runs on Google Cloud Platform and Firebase, with primary data centres in the eur3 region. We rely on Google's physical and network-level security rather than maintaining our own servers, which means our infrastructure inherits the same protections used by some of the largest platforms in the world.
Data is encrypted both while it's moving and while it's stored:
All traffic between the app, website, and our servers is encrypted using TLS/HTTPS. Unencrypted connections are rejected.
KYC documents and files sit in encrypted Google Cloud Storage buckets, encrypted by default at the infrastructure level.
Account credentials are hashed and salted using Firebase Authentication — Remse never stores plaintext passwords.
Session tokens are kept in secure local storage on your device, not in plain app storage.
Remse never stores your card details. All payment processing — wallet funding, withdrawals, and escrow — is handled by Paystack, a PCI DSS compliant payment provider used across Africa.
💰 How escrow protects your money: When you pay for a service, funds move into escrow — not directly to the agent. They're only released to the agent when you approve a completed milestone, or when a dispute is formally resolved in their favour.
Wallet balances and escrow amounts are tracked server-side through Cloud Functions, so a compromised device can't be used to alter your balance or trigger an unauthorised transfer.
Every agent on Remse goes through identity verification (KYC) before they can list services or receive payments. This protects travelers from impersonation and fraudulent listings.
Not every part of the platform is visible to every user — access is scoped tightly by role:
We treat security as an ongoing process rather than a one-time checklist:
If you're a security researcher and believe you've found a vulnerability in Remse's app, website, or backend, we want to hear from it before anyone else does. Please report it responsibly:
| Severity | Examples | Typical Response Time |
|---|---|---|
| Critical | Escrow/wallet manipulation, auth bypass, remote code execution | Within 24 hours |
| High | Access to another user's private data, privilege escalation | Within 72 hours |
| Medium | Business logic flaws, insecure direct object references | Within 7 days |
| Low | Missing security headers, minor information disclosure | Next release cycle |
We currently review disclosures on a case-by-case basis rather than running a formal paid bug bounty programme. Researchers who report valid, previously-unknown issues in good faith will be credited (with permission) once a fix ships.
If a security incident affecting user data or funds is confirmed, our process is:
⚠️ Suspect a breach on your account? Email security@remse.app immediately. We investigate and respond to reported incidents within 24 hours.
Most account compromises happen outside our systems — through reused passwords or social engineering. A few habits go a long way:
Never reuse your Remse password on another site. A password manager makes this easy.
Turn on Face ID or fingerprint lock in your device settings for an extra layer at the app level.
Remse staff will never ask for your password. Treat any such request as a scam.
Only pay through Remse's escrow system. Requests to pay an agent directly bypass your protection.
Remse's security and data-handling practices are built around the following frameworks and requirements:
For details on what data we collect and how it's used, see our Privacy Policy.
For vulnerability reports, suspected breaches, or general security questions, reach our team directly:
We take every report seriously. Critical issues are acknowledged within 24 hours.