Security & Trust

Built for enterprise IT review. Here's how Reflex handles your data, secures your endpoints, and protects your team's privacy.

SOC 2 Compliance

Reflex is pursuing SOC 2 Type I certification (Security criteria). Our security controls are built on EY-audited policy frameworks and designed for the AICPA Trust Services Criteria.

Infrastructure

Reflex runs on AWS (Lambda, S3, KMS) with Supabase for application data. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Processing occurs in isolated Lambda functions with no persistent compute.

Data Handling

Workflow data is processed at the edge (on the endpoint itself) before any data leaves the workstation. Only encrypted, aggregated patterns are transmitted. Raw data is processed in ephemeral Lambda functions and discarded after analysis. Only aggregated, anonymized workflow patterns are stored for ongoing analysis. Reflex does not produce or store individual employee performance data. All analysis is aggregated at the workflow level.

Endpoint Component Security

The Reflex platform component is code-signed (EV certificate) for both Windows and macOS. It runs as a user-space process with no elevated privileges. It can be deployed and removed via standard endpoint management tools (Intune, Jamf, etc.).

Data Processing Agreement

Every Reflex engagement includes a Data Processing Agreement governing data collection scope, processing purposes, retention periods, and deletion procedures.

Subprocessors

AWS (infrastructure), Supabase (application database). Full subprocessor list with data handling details available in the DPA.