Security & Trust

Built for enterprise IT review. Here's how Reflex handles your data, secures its integrations with your systems, and protects your team's privacy.

SOC 2 Compliance

Reflex is pursuing SOC 2 Type I certification (Security criteria). Our security controls are built on EY-audited policy frameworks and designed for the AICPA Trust Services Criteria.

Infrastructure

All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Processing occurs in isolated, ephemeral compute environments with no persistent storage of raw data. Full infrastructure and subprocessor details are provided under NDA during security review.

Data Handling

Reflex integrates with client systems at the company level, not at the employee level. We never access employee devices, keystrokes, screens, or individual activity. Ingested data is processed in isolated, ephemeral environments and discarded after analysis. Only aggregated process-flow patterns are retained for ongoing analysis. Integration architecture, access scopes, and data handling specifics are provided under NDA during security review.

Integration Security

Reflex integrates with client systems via OAuth 2.0 with the minimum required read-only scopes. API credentials are encrypted at rest with hardware-backed key management and never stored in application code. Integrations can be provisioned and revoked instantly by the client’s IT team. No software is installed on any employee machine.

Supported Integrations

Reflex connects to the common business systems your team already runs on — ERP, WMS, TMS, PMS, CRM, accounting, and the operational tools your team lives in. Custom integrations are available for proprietary or legacy systems.

Data Processing Agreement

Every Reflex engagement includes a Data Processing Agreement governing data collection scope, processing purposes, retention periods, and deletion procedures.