Reflective - Security

Security at Reflective

We take security and our customer's data seriously. We follow best practices around encryption, access control, software patching, and vunerability detection. We also welcome any feedback, concerns, or questions you have.

If you believe you have found an issue or would like to disclose an issue, email us at security@reflective.co.

Compliance at Reflective

We understand the value of compliance to our customers and are working on our SOC2 compliance. We have automated compliance monitoring enabled in order to help us acheive those goals. Our latest Vanta Report (password: reflective) is available for review.

Our Security Best Practices

Reflective takes information security seriously and is dedicated to its continual improvement.

User Account Security

Product Access Control

Reflective personnel have access to customer data via controlled interfaces. The intent of providing access to personnel is to provide effective customer support, troubleshoot potential problms, detect and respond to security incidents, and implement data security.

Encryption

Reflective data is encrypted at rest with AES-256, block-level storage encryption in addition to securing network communication with TLS 1.2 for encrypting data in transit.

Change Management

Peer code reviews: all pull requests are reviewed by peers, whether it’s a new feature or bug fix.
Continuous code audits for security and vulnerabilities using Snyk
Continuous integration and delivery: we use Github for our CI tooling. Every PR that is merged is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code that is being merged.
Robust unit testing

Cloud Security

Reflective utilizes Heroku and Amazon Web Services (AWS) as its cloud service providers and leverages their' security and compliance controls for data center physical security and cloud infrastructure. Further resources for these service providers can be found on the Heroku Security Policy and AWS Security Cloud website.

Monitoring & Logging

Availability

To ensure users have real-time service availability updates, Reflective maintains a

Status page.

Logging

Reflective maintains a comprehensive log of all app activity. App activity is extensively logged internally for troubleshooting and support.

Disclosure Policy

Any findings and disclosures must:

Not disrupt or impact site health and performance while evaluating.
Not be disclosed publicly until we have been given time to mitigate the issues.
Be encrypted if contains any sensitive data.
Sent to security@reflective.co with categorization and any proof of concept.

Reflective will:

Respond within 72 hours of disclosure.
Mitigate findings and work with researcher to understand impact.
Provide public disclosure of incident and accredit researcher for finding the issue.
Disclosure to users vulnerability and it's impact to their data.

We do not have a bug bounty at this time.

Keys

Disclosures

None at this time.