We take security and our customer's data seriously. We follow best practices around encryption, access control,
software patching, and vunerability detection. We also welcome any feedback, concerns, or questions you have.
If you believe you have found an issue or would like to disclose an issue, email us at
security@reflective.co.
Compliance at Reflective
We understand the value of compliance to our customers and are working on our SOC2 compliance. We have automated
compliance monitoring enabled in order to help us acheive those goals. Our latest
Vanta Report (password: reflective)
is available for review.
Our Security Best Practices
Reflective takes information security seriously and is dedicated to its continual improvement.
User Account Security
Product Access Control
Reflective personnel have access to customer data via controlled interfaces. The intent of providing access to personnel
is to provide effective customer support, troubleshoot potential problms, detect and respond to security incidents, and
implement data security.
Encryption
Reflective data is encrypted at rest with AES-256, block-level storage encryption in addition to securing network communication
with TLS 1.2 for encrypting data in transit.
Change Management
Peer code reviews: all pull requests are reviewed by peers, whether it’s a new feature or bug fix.
Continuous code audits for security and vulnerabilities using Snyk
Continuous integration and delivery: we use Github for our CI tooling. Every PR that is merged is automatically subjected to
a pipeline of rigorous tests and analysis as appropriate for the code that is being merged.
Robust unit testing
Cloud Security
Reflective utilizes Heroku and Amazon Web Services (AWS) as its cloud service providers and leverages their' security and compliance
controls for data center physical security and cloud infrastructure. Further resources for these service providers can be found on the
Heroku Security Policy and AWS Security Cloud website.
Monitoring & Logging
Availability
To ensure users have real-time service availability updates, Reflective maintains a