Remittance Go

Security

Your security and privacy is our priority.

Security Statement at Remittance Go

Please read about our current security measures below.

Website Security

  • Remittance Go.com is hosted and registered in Australia, tied to our ABN
  • app.remittancego.com is also hosted in Australia
  • Both are protected by SSL encryption

Data Protection

  • Our servers do not authorise and view our Xero data, this is all client side
  • History ledger of remittance matching is stored
  • Appropriate use of client-side storage

Xero Authentication

  • Xero is connected using oAuth2 (SSO)
  • We follow official recommendations from the Xero developer portal
  • Direct API access through your existing Xero user ID and organisation tokens
  • No third party handling or storage of accounts

Organisation Security

  • 100% in-house development
  • Only authorised Remittance Go personnel may access our database, with mandatory authentication
  • Mandatory 2FA
  • Secure systems engineering methodologies
  • Password encryption storage and systems

Secure Development

  • Daily backups of all application data in multiple locations
  • Every instance is fully encrypted and secured
  • Change control procedures
  • Technical reviews

Monitoring

  • Uptime monitoring
  • Incident response
  • Support available during business hours
  • Disaster recovery simulation every

User Authentication

  • Authentication powered by Kinde — a dedicated, SOC 2 compliant auth provider
  • Short-lived JWT access tokens and rotating refresh tokens
  • Secure token storage with httpOnly cookies
  • Session expiry and token revocation on logout
  • Support for social login and enterprise SSO
  • User management isolated from application logic

Email

  • Business email hosted on Google Workspace (GSuite)
  • Protected by Google's spam filtering, phishing detection, and malware scanning
  • TLS encryption in transit for all email communication
  • SPF, DKIM, and DMARC records configured to prevent spoofing
  • Admin-enforced 2FA across all Remittance Go Google accounts

Route Protection

  • All API routes require a valid authenticated session
  • Unauthenticated requests are rejected before reaching application logic
  • Permission-based access control — users only access their own organisation's data
  • Server-side session validation on every request
  • No sensitive operations exposed to unauthenticated clients