Try Receptioner for Free

No credit card needed | 14-day free trial

Get Started

TRUST & SECURITY

Last updated 23 April 2026

Receptioner handles personal information and, in many cases, health information on behalf of service businesses in New Zealand and Australia. This page summarises how we protect that information, the standards we operate to, and how we respond to incidents. It is provided for transparency and to help prospective customers and their advisers evaluate Receptioner before signing up.

For contractual commitments, see our Terms of Service, Privacy Policy, Data Processing Agreement, and Service Level Agreement.

Hosting & infrastructure

Receptioner runs on a serverless architecture hosted by Amazon Web Services (AWS). Primary data storage is in AWS Sydney (ap-southeast-2). Redundant backups are stored in AWS Stockholm (eu-north-1) for resilience. AWS maintains industry-leading security certifications including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and PCI DSS.

Encryption

  • In transit: All connections to the platform use TLS 1.2 or above.
  • At rest: Production data is encrypted using AES-256 via AWS-managed keys.
  • Backups: Backups are encrypted at rest and retained for up to 35 days on a rolling basis.

Access control

  • Role-based access control within the platform, administered by each business customer for their staff.
  • Least-privilege access for Receptioner personnel; production access is limited to a small number of named individuals.
  • Multi-factor authentication is required for all internal administrative access.
  • Audit logging of privileged actions on production systems.

Payments & card data

Payments are processed by Stripe, a PCI DSS Level 1 compliant payment provider. Card numbers are collected by Stripe Elements directly and are not transmitted through or stored by Receptioner. Storing card details anywhere on the platform outside the Stripe-backed mechanism is prohibited by our Terms of Service.

Application security

  • Secure software development practices, including code review and dependency scanning.
  • Automated vulnerability scanning and patching of infrastructure.
  • Separate development, staging, and production environments.
  • Security-relevant events logged and monitored via New Relic and Sentry (non-sensitive telemetry only; field scrubbing applied where configured).

Privacy by design

  • Health and intake-form data is treated as sensitive information and receives additional handling protections.
  • We do not use customer data to train general-purpose AI or machine-learning models.
  • We do not use automated decision-making that significantly affects individuals.
  • We do not sell personal information or share it with advertising networks.

Incident response

We maintain a documented incident-response plan covering detection, triage, containment, eradication, recovery, and post-incident review. For a notifiable privacy breach:

  • We aim to notify affected business customers within 72 hours of confirming the breach, consistent with guidance from the Office of the Privacy Commissioner (NZ).
  • We notify the Office of the Privacy Commissioner (NZ) or the Office of the Australian Information Commissioner (AU), as applicable.
  • Where the breach originates from our platform and it is practicable, we notify affected individuals directly. Otherwise, we assist business customers to meet their own notification obligations.

Suspected security issues can be reported to security@receptionerapp.com.

Availability & status

Our standard availability commitment for paying business customers is set out in our Service Level Agreement, which describes the monthly uptime target, service credits, and exclusions. We do not yet publish a public status page; we are working towards one, and in the meantime any suspected outage can be reported to support@receptionerapp.com and we will share the relevant monitoring data directly.

Business continuity & backups

  • Automated backups of production data, encrypted at rest.
  • Backups retained for up to 35 days on a rolling basis.
  • Disaster-recovery region in AWS Stockholm for resilience.
  • Periodic restoration tests to verify backup integrity.

Personnel & training

  • Personnel with access to personal information are bound by confidentiality obligations.
  • Privacy and security awareness training is provided at onboarding and refreshed periodically.
  • Access is reviewed periodically and revoked on role change or departure.

Subprocessors

We publish a current list of subprocessors at receptionerapp.com/subprocessors, including their purpose, the data they process, and their location.

Responsible disclosure

If you believe you have found a security vulnerability in Receptioner, please contact security@receptionerapp.com with a clear description and steps to reproduce. We will acknowledge receipt promptly, investigate, and keep you informed of progress. Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate it.

Documents

The following documents sit alongside this page for customers, prospects, and their advisers who need to review our contractual and operational commitments in detail:

Terms of ServiceThe master agreement governing use of Receptioner.Privacy PolicyHow we collect, use, and protect personal information.Data Processing AgreementOur standard DPA for business customers processing personal information through the platform.Service Level AgreementMonthly uptime target, service credits, exclusions, and claim process.Acceptable Use PolicyWhat you can and cannot do on the platform.SubprocessorsCurrent list of third parties we engage to deliver the platform.Cookie PolicyWhat cookies we set and how consent is recorded.

Contact

Privacy: privacy@receptionerapp.com
Security: security@receptionerapp.com
Support: support@receptionerapp.com