Security

Our commitment to protecting your data and maintaining the highest security standards.

At ReaTech, security is at the core of everything we do. As a compliance automation platform, we hold ourselves to the same rigorous standards we help our customers achieve. This page outlines the security measures we employ to protect your data and ensure the integrity of the Sentinel platform.

Infrastructure Security

Sentinel is built on a secure, modern cloud infrastructure designed for reliability and protection.

  • Cloud hosting — Sentinel is hosted on Amazon Web Services (AWS), leveraging SOC 2 Type II certified infrastructure with enterprise-grade physical and network security
  • Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all connections.
  • Encryption at rest — all data stored in our databases is encrypted at rest using AES-256 encryption
  • Network isolation — our production environment is deployed within isolated virtual private clouds (VPCs) with strict security group rules and network access control lists
  • DDoS protection — we utilize AWS Shield and other measures to protect against distributed denial-of-service attacks
  • Automated backups — databases are backed up automatically with encrypted backups stored in geographically separate regions

Application Security

We follow security best practices throughout our software development lifecycle.

  • Secure authentication — passwords are hashed using bcrypt with a high cost factor (12 rounds). We never store plaintext passwords.
  • JWT-based sessions — authenticated sessions use JSON Web Tokens with configurable expiration and secure signing
  • Role-based access control (RBAC) — users are assigned roles (Admin, Member, Viewer) that determine their permissions within the platform
  • Input validation — all user inputs are validated and sanitized using schema validation (Zod) to prevent injection attacks
  • Rate limiting — API endpoints are protected by rate limiting to prevent abuse and brute-force attacks
  • Dependency management — we regularly audit and update third-party dependencies to address known vulnerabilities
  • CORS protection — cross-origin resource sharing is configured to only allow requests from authorized domains

Data Protection

Protecting your data — especially sensitive cloud credentials — is our highest priority.

Credential Management

  • Encryption — cloud integration credentials (AWS access keys, GitHub tokens, Google Workspace tokens) are encrypted using AES-256 with dedicated encryption keys before storage
  • No plaintext exposure — credentials are never logged, displayed in the UI, or exposed in API responses after initial setup
  • Minimal permissions — we recommend and document the minimum required permissions for each integration, encouraging the principle of least privilege
  • Instant revocation — you can disconnect any integration at any time, immediately revoking Sentinel's access to your cloud accounts

Tenant Isolation

  • Logical separation — each company's data is logically isolated at the application and database level. All queries are scoped to the authenticated user's company.
  • Access controls — users can only access data belonging to their own organization. Cross-tenant access is architecturally prevented.

Data Minimization

  • We collect only the data necessary to provide compliance evidence and assessments
  • Compliance checks use read-only access to your cloud accounts wherever possible
  • Evidence data is retained only for as long as your account is active

Organizational Security

  • Security awareness — all team members complete security awareness training and follow secure development practices
  • Principle of least privilege — internal access to production systems and customer data is restricted to only those who require it for their role
  • Code review — all code changes undergo peer review before deployment, with a focus on security considerations
  • Secure development — we follow OWASP guidelines and security best practices in our development process

Incident Response

We maintain a comprehensive incident response plan to address security events quickly and effectively.

  • 24-hour response — our incident response team is prepared to respond to security incidents within 24 hours of detection
  • Customer notification — in the event of a confirmed data breach affecting your data, we will notify you within 72 hours in accordance with applicable laws and regulations
  • Post-incident review — every security incident undergoes a thorough post-incident review, and we implement corrective measures to prevent recurrence
  • Transparent communication — we believe in transparent communication about security events and will provide timely updates during any incident

Compliance

As a compliance automation platform, we practice what we preach.

  • SOC 2 — Sentinel pursues SOC 2 Type II certification for our own operations
  • Penetration testing — we conduct regular penetration testing by qualified third-party security firms
  • Vulnerability management — we maintain an active vulnerability management program with regular scanning and timely remediation
  • GDPR compliance — we comply with the General Data Protection Regulation for our EU/EEA users. See our GDPR page for details.

Responsible Disclosure

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you discover a security issue in Sentinel, please report it to us:

Please provide a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence. We ask that you:

  • Allow us reasonable time to investigate and address the issue before public disclosure
  • Avoid accessing or modifying other users' data
  • Act in good faith to avoid disruption to our services

We are committed to working with security researchers and will not pursue legal action against individuals who discover and report vulnerabilities responsibly.

Contact

For security-related inquiries, please contact us at nicholas@reatech.io.