Trust, security, and compliance posture
TL;DR
Trust centre summarises security commitments and where to verify claims.
Key facts
- Reporting
- /security
Trust, security, and compliance
This page orients buyers and security reviewers. It is not a contractual SLA unless your order form says otherwise.
Downloadable overview
- Security & trust overview (Markdown) — single file you can attach to procurement or print to PDF from your browser.
Infrastructure and data handling
- Control plane: Reflex Cloud runs the dashboard, billing, and orchestration APIs. Customer workload data from agents is scoped per workspace and encrypted in transit (TLS 1.2+).
- Regions: Data residency choices are offered at team setup where product configuration allows; map your regulatory needs with us before production rollout.
- Agents: Server agents authenticate with least-privilege tokens. They are designed not to exfiltrate application secrets beyond what you configure for diagnostics and repair flows.
Compliance posture
- SOC 2 Type II: We maintain a SOC 2 readiness programme (controls, evidence collection, and operational discipline). Certification status and report availability are confirmed per sales engagement — ask for the current attestation letter when evaluating Enterprise.
- UK GDPR / EU GDPR: We process personal data as a processor where applicable. DPA and subprocessor register are available for paying teams that require them (see operations documentation linked from your order process).
- ICO: UK GDPR obligations include lawful processing and breach notification; see our Privacy Policy and Security Policy.
Security practices
- Coordinated disclosure: Report vulnerabilities via /security — do not use public issues.
- Dependency and application security: We run automated dependency scanning on our own stack; customer servers are hardened according to the recipes and policies you enable.
- Access: Production access is logged; customer-facing audit logs (retention by tier) cover privileged actions in your workspace.
Identity and access (enterprise)
- SSO: SAML/OIDC connections are configurable per team where your plan allows.
- SCIM: SCIM 2.0 provisioning is available for directory-driven membership (subject to dashboard seat limits on Solo/Studio — Agency is unlimited seats in product terms).
- RBAC and MFA: Team roles, custom roles, optional resource grants, team MFA policy, and session policy are documented in the in-app Settings area.
What we do not claim here
- Third-party certification badges without a current report.
- Uptime guarantees unless they appear in your signed enterprise agreement.
For questions: use Contact with subject line Security / Trust and your company domain so we can route to the right reviewer.