Security & Trust

Security is engineered into Reera from day one. This page summarizes the controls in place today and the roadmap toward formal certifications. Customers under NDA can request a more detailed security questionnaire (CAIQ-Lite, SIG-Lite) by emailing ali@reera.io.

1. Data protection

Encryption

• In transit: TLS 1.3 with strong AEAD ciphers; HSTS enforced on all reera.io subdomains.
• At rest: AES-256 via Google Cloud Platform's default encryption; customer-managed encryption keys (CMEK) available on enterprise plans.
• Inference: calls to LLM providers (OpenAI, Anthropic) use zero-retention enterprise endpoints; metadata-only, never attachments or secrets.

Data residency

• Default hosting region: EU (Google Cloud, Frankfurt or Belgium).
• No transfers outside the EEA without explicit customer authorization and Standard Contractual Clauses.

2. Access control

• SSO via SAML 2.0 and OpenID Connect (Okta, Azure AD / Entra ID, Google Workspace, Ping).
• SCIM 2.0 for user and group provisioning.
• Role-based access control (RBAC) with least-privilege defaults.
• All privileged actions logged to immutable audit logs; logs streamable to customer SIEM via webhook or syslog.
• Production access requires hardware-backed multi-factor authentication.

3. Application security

• Secure software development lifecycle: peer code review, automated static analysis, dependency vulnerability scanning, secret-scanning in CI.
• Quarterly third-party penetration testing planned starting Q3 2026; report summaries available under NDA.
• Bug-bounty / responsible disclosure inbox: security@reera.io.

4. Infrastructure security

• Hosted on Google Cloud Platform; relies on GCP's underlying physical security, network isolation, and DDoS protection (Cloud Armor).
• Network segmentation: production, staging, and development run in isolated VPCs with private connectivity only.
• All workloads run in containers with read-only filesystems and minimal base images.
• Backup and disaster recovery: encrypted backups with cross-region replication; recovery procedures tested at least annually.

5. AI & model governance

• Customer data is never used to train shared or third-party foundation models.
• Model improvements happen via supervised fine-tuning on the customer's tenant only.
• Every AI suggestion is auditable: input, suggestion, confidence score, human action, and final outcome, retained per ticket and exportable.
• Humans-in-the-loop by default for any consequential action (assignment, status change, resolution).

6. Compliance roadmap

• GDPR-aligned by design; full DPA available.
• Information-Security Management System (ISMS) modeled on ISO/IEC 27001; formal certification targeted for 2027.
• SOC 2 Type II: observation period in active progress with a Big-Four auditor; first report targeted for 2027.
• EU AI Act: tracking obligations applicable to general-purpose AI deployers; classification and conformity assessments will be performed prior to high-risk deployments.

7. Personnel security

• All personnel with access to customer data sign confidentiality agreements.
• Security awareness training on a recurring basis.
• Background checks performed where permitted by law.

8. Vulnerability disclosure

If you've found a security issue affecting Reera, please email security@reera.io. Include reproduction steps and your PGP key if you wish to encrypt sensitive details. We will acknowledge receipt within two business days and keep you informed throughout the remediation. Please do not publicly disclose the issue until we've had a reasonable opportunity to address it.

9. Status & uptime

Real-time service status is published at reera.betteruptime.com. Subscribe to email or RSS notifications for incident updates.

10. Contact

Security questionnaire (CAIQ-Lite, SIG-Lite) under NDA, vendor risk assessments, or any other security inquiry: ali@reera.io.