Security

At Reducto, we take data security and privacy extremely seriously. We understand the importance of protecting our customers' sensitive information and have implemented robust measures to ensure the highest level of security. This report outlines our data storage practices, encryption protocols, and compliance adherence.

Data Storage

1. Storage Location: We utilize Amazon Web Services (AWS) S3 for storing data related to asynchronous requests. Synchronous request data is never written to storage, ensuring that it remains transient and is not persisted.

2. Access Permissions: Access to the AWS S3 storage is strictly limited to our AWS Lambda executor. This ensures that only authorized and authenticated processes can interact with the stored data, minimizing the risk of unauthorized access.

3. Data Retention: All data stored in AWS S3 is automatically set to expire within 24 hours. This means that any data older than 24 hours is automatically deleted, reducing the amount of data we retain and minimizing the potential impact of any data breaches.

4. Data Usage: For users on our "Scale" tier and above, we never use any of their data for training purposes. We respect the privacy of our customers and ensure only they have access to the data from their requests.

Encryption

1. Encryption at Rest: All data stored in AWS S3 is encrypted at rest using industry-standard encryption algorithms. This means that even if unauthorized individuals were to gain access to the stored data, they would not be able to decipher it without the proper encryption keys.

2. Encryption in Transit: We employ encryption protocols to protect data in transit. All communication between our systems and the data storage is conducted over secure channels using encryption mechanisms such as SSL/TLS. This ensures that data remains confidential and tamper-proof during transmission.

Compliance

1. SOC 2 Type 2: We are currently in the process of obtaining SOC 2 Type 2 compliance. This rigorous certification demonstrates our commitment to maintaining a secure and reliable system. It involves a comprehensive audit of our security controls, policies, and procedures by an independent third party.

2. HIPAA Compliance: We currently offer a HIPAA compliant processing pipeline for Scale and Enterprise tier customers. By adhering to HIPAA regulations, we ensure that any PHI processed by our system is handled with the utmost care and in compliance with the stringent security and privacy standards set forth by HIPAA. Please reach out to us via email to sign a BAA with us.

We continuously monitor and update our security measures to stay ahead of evolving threats and maintain the highest level of protection for our customers' data. Our dedicated security team regularly conducts assessments, penetration testing, and vulnerability scans to identify and address any potential weaknesses in our system.

If you have any further questions or require additional information regarding our security practices, please don't hesitate to reach out to [email protected].

List of Authorized Subprocessors