Encryption at rest
All files are stored in Cloudflare R2 with AES-256 server-side encryption.
SECURITY & DATA PROTECTION
How your game data is protected
Rekon's security is built on actual operational behavior, not certification marketing. Encryption, access control, retention policy, and auditable change history are unified into a single policy.
Always-on protection
Security behavior applied by default across request, view, and download flows.
AES-256 encryption at rest
RLS workspace isolation
Automatic expiry deletion
Audit logging
Security measures
Facts we can disclose based on current operations.
Encryption in transit
Communication uses HTTPS, protected with TLS 1.2 or higher.
Temporary download URLs
Download links expire 15 minutes after issuance; shared viewer links expire after 10 minutes.
Workspace isolation
Row Level Security is applied across database tables, blocking access to other workspaces' data.
Audit logs
File downloads and admin change actions are recorded in audit logs.
Automatic data deletion
Expired files are deleted daily from storage and the database. Retention: Free 30 days, Team 180 days, Team Pro 360 days.
Full member deletion
On request, member records are permanently deleted and associated reports are anonymized.
Sensitive log masking
A masking policy is applied to emails, IPs, and OAuth/Bearer tokens in both server and Unity SDK logs.
SDK integrity
Each release ships with a SHA-256 checksum and a CycloneDX SBOM.
Encrypted token storage
Session tokens are encrypted with AES-256-GCM on the server and AES-256-CBC + PBKDF2 in the SDK.
Admin access whitelist
Only whitelisted accounts can access admin tools, and all admin actions are recorded in audit logs.
Data retention
Per-plan expiry policy is applied based on data creation date.
| Plan | Retention | Deletion |
|---|---|---|
| Free | Up to 30 days | Storage & DB deleted together on expiry |
| Team | Up to 180 days | Daily batch deletion of expired data |
| Team Pro | Up to 360 days | Automatic removal past retention period |
Frequently asked questions
How does Rekon encrypt captured game data?
All files are stored in Cloudflare R2 with AES-256 server-side encryption, and traffic is protected with HTTPS (TLS 1.2+). Session tokens are encrypted with AES-256-GCM on the server and AES-256-CBC + PBKDF2 in the Unity SDK.
Can one workspace access another workspace's data?
No. Row Level Security (RLS) is applied across database tables to block access to other workspaces' data. Download links expire after 15 minutes and shared viewer links after 10 minutes.
Does Rekon keep access logs?
File downloads and admin change actions are recorded in audit logs. Admin tools are restricted to whitelisted accounts, and all admin actions are logged.
How long is captured data retained?
Retention is Free 30 days, Team 180 days, and Team Pro 360 days; expired files are automatically deleted from storage and the database daily. On a full member deletion request, the member record is deleted and associated reports are anonymized.
Are sensitive values like emails or tokens left in logs?
A masking policy is applied to emails, IPs, and OAuth/Bearer tokens in both server and Unity SDK logs.
Can the integrity of the Unity SDK be verified?
Each release ships with a SHA-256 checksum and a CycloneDX SBOM (software bill of materials) so you can verify the integrity of the distributed package.
How do I request a security due diligence review of Rekon?
For security inquiries or due diligence requests, contact rekonops.dev@gmail.com.
For security inquiries or due diligence requests, contact us at the email below. rekonops.dev@gmail.com
Contact us by email