Security & Compliance
Compliance is not a feature we bolted on after the fact. It is infrastructure — baked into every layer of how Reins processes, stores, and protects your data. From cryptographic audit trails to granular access policies, security is the foundation everything else stands on.
Certifications
Our certifications are maintained through continuous monitoring and annual audits by accredited third-party firms. Every control is tested, every process is documented, every exception is tracked.
Our SOC 2 Type II report demonstrates that our controls have been operating effectively over a sustained period. Audited annually by an AICPA-accredited firm, covering the full scope of Reins infrastructure and operations.
| Security | Protection against unauthorized access |
| Availability | System uptime and performance monitoring |
| Confidentiality | Data protection and access restrictions |
What this means for you: Your auditors can rely on our SOC 2 report as evidence that your data is protected by controls that have been tested and verified by an independent auditor.
Request SOC 2 report →Our Information Security Management System (ISMS) is certified to ISO 27001:2022 standards. This covers information security policy, risk management, access control, cryptography, operations security, and supplier relationships.
Scope: All production systems, employee workstations, development infrastructure, and third-party integrations involved in processing customer data for the Reins platform.
Certification body: BSI Group, recertified annually with semi-annual surveillance audits.
What this means for you: A globally recognized standard demonstrating our commitment to information security best practices across all operations.
Request ISO certificate →Full compliance with the EU General Data Protection Regulation. We process data lawfully, transparently, and for specific purposes. Data subjects retain full control over their personal information.
Data Processing Agreement: Standard DPA available for all customers, covering Article 28 processor obligations, sub-processor management, and cross-border transfer mechanisms (Standard Contractual Clauses).
Rights management: Right to erasure (Article 17), data portability (Article 20), and consent withdrawal are automated and available through the dashboard or API.
Data residency: EU customers can elect EU-only data residency (Frankfurt, Ireland regions) with no data leaving the EU.
Request DPA →Security Architecture
Security is not a perimeter. It is a property of every layer. From the network edge to the database row, every component enforces its own access policies independently.
All data is encrypted at rest using AES-256-GCM. Database storage, backups, file uploads, and temporary processing buffers are all encrypted. Keys are never stored alongside the data they protect. Each customer's data uses a unique data encryption key (DEK) wrapped by a master key in AWS KMS.
All network communication uses TLS 1.3 with forward secrecy. Internal service-to-service communication uses mutual TLS (mTLS). We enforce HSTS with a minimum max-age of one year, and are included in browser preload lists. Certificate transparency logging is enabled on all certificates.
Encryption keys are managed through AWS KMS with hardware security module (HSM) backing. Master keys are automatically rotated every 90 days. Data encryption keys are rotated on a per-session basis. Key access is restricted to the minimum set of IAM roles required for each service, with all access logged in CloudTrail.
Role-based access control (RBAC) with the principle of least privilege applied universally. Every API request is authenticated (JWT + API key), authorized against the caller's role and resource ownership, and rate-limited. Admin access requires multi-factor authentication and is logged for audit. No standing access to production systems.
Audit logs are append-only with cryptographic integrity chains. Each log entry includes a SHA-256 hash of the previous entry, creating a tamper-evident chain. Logs are written to a separate, isolated storage account with write-only permissions from the application layer. Deletion is impossible without breaking the hash chain, which triggers immediate alerts.
Quarterly penetration tests conducted by NCC Group, covering application-layer attacks, infrastructure compromise scenarios, and social engineering vectors. Annual red team exercises simulate advanced persistent threats. All findings are remediated within SLA (Critical: 24h, High: 7d, Medium: 30d, Low: 90d).
Active bug bounty program on HackerOne with payouts up to $15,000 for critical vulnerabilities. Over 200 researchers have participated. Average time to first response: 4 hours. Average time to resolution: 48 hours for critical findings. Safe harbor provisions for good-faith security research.
Documented incident response plan with 24/7 on-call rotation. Severity-based response times: P1 (15 minutes), P2 (1 hour), P3 (4 hours). Post-incident reviews published within 5 business days for any customer-affecting incident. Automated runbooks handle common scenarios to minimize human response latency.
Data Governance
Clear policies on what we store, how long we keep it, where it lives, and how you can get it back or make it disappear.
Enterprise customers can choose where their data is processed and stored. We currently offer two regions with additional regions planned for 2026.
Primary: US-East (Virginia). Failover: US-West (Oregon). Data does not leave US jurisdiction. Compliant with US federal and state privacy laws.
Primary: EU-West (Frankfurt). Failover: EU-West (Ireland). Full GDPR-compliant data residency. No data transfers outside the EEA without Standard Contractual Clauses.
When you request data deletion — whether a single record, an agent's history, or your entire account — we follow a cryptographic erasure process. Data is rendered unrecoverable within 24 hours, with a certificate of destruction available upon request.
| Name | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, key management | US / EU |
| Neon | Managed PostgreSQL database | US / EU |
| Stripe | Payment processing | US |
| Postmark | Transactional email delivery | US |
| Render | Application hosting and deployment | US |
| Datadog | Infrastructure monitoring and observability | US / EU |
We notify customers 30 days before adding new sub-processors. You may object to new sub-processors per the terms of your DPA.
Access Control
Every action maps to a specific permission. Every permission maps to a role. Click column headers to sort.
| Permission ▲ | Owner ▲ | Admin ▲ | Engineer ▲ | Viewer ▲ |
|---|---|---|---|---|
| Create policies | ✓ | ✓ | ✓ | — |
| Delete policies | ✓ | ✓ | — | — |
| View transactions | ✓ | ✓ | ✓ | ✓ |
| Export data | ✓ | ✓ | ✓ | — |
| Manage team | ✓ | ✓ | — | — |
| Billing access | ✓ | — | — | — |
| View audit logs | ✓ | ✓ | ✓ | ✓ |
| Configure alerts | ✓ | ✓ | ✓ | — |
| API key management | ✓ | ✓ | — | — |
| Delete organization | ✓ | — | — | — |
Compliance Checklist
Use this interactive checklist to track which compliance requirements Reins satisfies. Your progress is saved locally in your browser.
0 of 8 requirements verified
Reins enforces TLS 1.3 on all endpoints with no fallback to older protocols. HSTS is enabled with a 1-year max-age and preload. Internal service mesh uses mutual TLS for all service-to-service communication. Certificate pinning is available for mobile SDK integrations.
All persistent storage uses AES-256-GCM encryption. This includes the primary database, replicas, automated backups, file storage, and temporary processing buffers. Customer-managed encryption keys (CMEK) are available on Enterprise plans for customers who need to control their own key lifecycle.
Four predefined roles (Owner, Admin, Engineer, Viewer) with granular permission mapping. Custom roles available on Enterprise plans. All role assignments are logged in the audit trail. SSO/SAML integration ensures centralized identity management with automatic deprovisioning via SCIM.
Complete audit logs exportable via API or dashboard in JSON, CSV, or SIEM-compatible formats (CEF, LEEF). Real-time log streaming to your SIEM (Splunk, Datadog, Sumo Logic) via webhook or Kafka integration. Logs include actor identity, action, target resource, timestamp, IP, and user agent.
Published SLA guarantees 99.95% uptime for the API and dashboard. Financial credits for downtime exceeding SLA thresholds. Separate SLAs available for Enterprise customers covering response times, resolution times, and dedicated support availability. Status page at status.reins.dev with historical uptime data.
Standard Data Processing Agreement available for immediate signature covering GDPR Article 28 requirements. Includes: processing purposes and scope, sub-processor management, cross-border transfer mechanisms (SCCs), data breach notification procedures, and audit rights. Custom DPA amendments available for Enterprise customers.
Current SOC 2 Type II report available under NDA. Report covers the Security, Availability, and Confidentiality trust services criteria over a 12-month observation period. No qualified opinions or exceptions in the most recent audit cycle. Report provided within 2 business days of NDA execution.
Executive summary of the most recent quarterly penetration test available under NDA. Full report available for Enterprise customers. Testing conducted by NCC Group covering OWASP Top 10, business logic vulnerabilities, API security, and infrastructure attack surfaces. All critical and high findings remediated before report issuance.
Risk Management
Our risk assessment framework identifies, quantifies, and mitigates threats before they materialize. Updated quarterly and reviewed by the security team.
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Unauthorized access to customer data | Low | High | MFA enforcement, RBAC, session management, anomaly detection, zero-trust network architecture |
| Data breach via application vulnerability | Low | High | Quarterly pen testing, bug bounty program, automated SAST/DAST scanning, dependency vulnerability monitoring |
| Service outage / availability loss | Medium | Medium | Multi-region deployment, automated failover, chaos engineering, 99.95% SLA with financial backing |
| Supply chain compromise | Medium | High | Dependency pinning, SBOM generation, Sigstore verification, private registry mirroring, weekly audit scans |
| Insider threat / privilege abuse | Low | High | Least-privilege access, just-in-time provisioning, background checks, immutable audit logs, anomaly alerts |
| API key compromise | Medium | Medium | Key hashing (not storing plaintext), automatic rotation reminders, usage anomaly detection, IP allowlisting |
| Ransomware / data destruction | Low | High | Immutable backups, point-in-time recovery (30 days), network segmentation, endpoint detection and response |
| Regulatory non-compliance | Low | Medium | Continuous compliance monitoring, legal counsel review, automated policy enforcement, quarterly compliance audits |
Vulnerability Management
We believe security is a shared responsibility. Our bug bounty program and structured testing schedule ensure vulnerabilities are found and fixed fast.
Active program hosted on HackerOne with a public scope covering all Reins-owned domains and APIs. Researchers who discover and responsibly disclose vulnerabilities are rewarded based on severity.
Payout tiers:
Critical: up to $15,000 | High: up to $5,000 | Medium: up to $2,000 | Low: up to $500
Safe harbor: Good-faith security research that follows our disclosure policy will not result in legal action. We commit to not pursuing legal claims against researchers who act in good faith.
If you discover a security vulnerability in Reins, we ask that you report it privately to security@reins.dev before public disclosure. We commit to the following response times:
CRITICAL Response: 4 hours | Fix: 24 hours
HIGH Response: 8 hours | Fix: 7 days
MEDIUM Response: 24 hours | Fix: 30 days
LOW Response: 48 hours | Fix: 90 days
Our testing cadence ensures continuous validation of our security posture across all attack surfaces.
| Quarter | Scope | Firm | Focus Areas |
|---|---|---|---|
| Q1 | Full application + API | NCC Group | OWASP Top 10, business logic, authentication bypass |
| Q2 | Infrastructure + cloud | NCC Group | AWS misconfigurations, network segmentation, lateral movement |
| Q3 | Red team exercise | Bishop Fox | Social engineering, phishing simulation, physical security |
| Q4 | API + SDK review | NCC Group | SDK injection vectors, API rate-limit bypass, privilege escalation |
Enterprise
Whether you are in healthcare, finance, or government — we have the agreements, support tiers, and deployment flexibility your procurement team requires.
Standard MSA available for immediate review covering liability, indemnification, IP ownership, termination rights, and governing law. Custom amendments negotiable for enterprise customers with dedicated legal review within 5 business days.
HIPAA-compliant BAA for healthcare organizations handling PHI. Covers permitted uses and disclosures, safeguards, breach notification obligations, and individual rights support. Enables compliant AI agent governance in clinical and administrative workflows.
Tailored service level agreements beyond our standard 99.95% uptime guarantee. Options include: guaranteed response times (15-minute P1), dedicated support engineer, custom maintenance windows, and financial credit escalations.
Standard (email, 8h response), Professional (email + chat, 4h response), Enterprise (dedicated CSM, Slack channel, 1h response, quarterly business reviews). All tiers include access to our technical documentation and community.
For organizations with strict data sovereignty requirements, we offer self-hosted deployment options with full feature parity. Your infrastructure, our software, jointly maintained.
Coming Q3 2026Security FAQ
Answers to the questions we hear most from security teams during vendor assessments.
All data is encrypted at rest using AES-256-GCM and in transit using TLS 1.3 with forward secrecy. Encryption keys are managed through AWS KMS with HSM-backed master keys that rotate automatically every 90 days. Each customer's data uses a unique data encryption key (DEK) that is itself encrypted by the master key — an envelope encryption pattern that ensures a single key compromise does not expose all customer data. Database-level encryption uses transparent data encryption (TDE) as an additional layer below application-level encryption.
Access is governed by strict role-based access control (RBAC) with the principle of least privilege. Within your organization, you control who can view, modify, or export data through the four-tier permission model (Owner, Admin, Engineer, Viewer). On the Reins side, no employee has standing access to customer data. Production access requires just-in-time provisioning through a break-glass procedure that requires management approval, creates an audit trail, and automatically expires after 4 hours. All access events are logged immutably and included in your audit log exports.
Data is stored in SOC 2 certified data centers. Standard customers use our US-East (Virginia) region with failover to US-West (Oregon). Enterprise customers can select EU data residency (Frankfurt primary, Ireland failover) where all data processing and storage remains within the European Economic Area. No customer data is transferred across region boundaries without explicit opt-in. Backups are stored in the same region as the primary data and are encrypted at rest with a separate key hierarchy.
We maintain a documented incident response plan with a 24/7 on-call security team. The process follows five phases: Detection (automated monitoring + human analysis), Containment (isolate affected systems within minutes), Eradication (remove the threat and patch the vulnerability), Recovery (restore service with verification), and Post-mortem (root cause analysis and prevention measures). Affected customers are notified within 72 hours per GDPR requirements, with critical incidents triggering immediate notification within 4 hours. Public post-incident reports are published for any customer-affecting security event.
Yes. Enterprise plans include SAML 2.0 SSO integration supporting Okta, Azure AD, Google Workspace, OneLogin, and any SAML-compliant identity provider. We also support OIDC (OpenID Connect) for providers that prefer that protocol. SCIM 2.0 provisioning ensures that when employees join or leave your organization, their Reins access is automatically granted or revoked in sync with your identity provider. Session duration and re-authentication policies are configurable per-organization.
Yes. Full data portability is a core principle. You can export all your data at any time via the dashboard (manual export) or API (automated export). Supported formats include JSON, CSV, and Parquet. The export includes all transaction records, policy configurations, audit logs, alert history, and organization settings. Exports are generated asynchronously for large datasets and delivered via a secure, time-limited download link. There are no export fees and no artificial limits on export frequency.
We conduct annual SOC 2 Type II audits (12-month observation period), quarterly external penetration tests alternating between application, infrastructure, red team, and API/SDK scopes. Internal security reviews happen monthly. Automated vulnerability scanning runs continuously against all production assets. Dependency scanning checks for known vulnerabilities in our supply chain on every deployment. Our ISO 27001 ISMS undergoes semi-annual surveillance audits between full recertification cycles.
Upon cancellation, you have a 30-day grace period to export any data you need. During this period, your account is suspended (no new data ingestion) but all existing data remains accessible for export. After 30 days, all customer data is permanently deleted using cryptographic erasure — the encryption keys protecting your data are destroyed, rendering the encrypted data unrecoverable even if the underlying storage were accessed. We provide a certificate of destruction upon request. Anonymized, aggregated analytics data (which cannot be linked back to your organization) may be retained for product improvement.
Request Documents
Need our SOC 2 report, DPA, or other compliance documentation for your vendor assessment? Submit a request and we will get back to you within 2 business days.
Related Pages