Every recall is logged. Every document is encrypted. Every access carries a name, a role, and a reason. Reattend is built so security and legal teams can answer "who saw what, when, and why?" in seconds — not in a six-week investigation.
We're a young company. We don't have audit reports yet — we'll start them with our first paying customers in scope. The architecture is in place for SOC 2, ISO 27001, GDPR, and HIPAA control families; the audits are next. We tell you exactly where each control stands below.
Each control below is labeled with its current status: Live means it's in the product today; In progress means we're building or auditing it; Planned means it goes live with our first customer that needs it. We don't claim what we haven't shipped.
Every recall is tied to a real user identity. Two-tier RBAC (org + department) is enforced at the record level — the model never sees memories the asker can't see.
Disk encryption at rest on the host, TLS 1.3 in transit. Customer-managed keys (BYOK / KMS) are on the roadmap with our first regulated customer; not available today.
Every answer returns a citation chain. Every admin action is written to a hash-chained, append-only audit log — each entry's hash includes the previous entry's, so any tampering breaks the chain.
Your prompts and documents do not train any model — ours, or anyone else's. Retention is configurable per memory class; deletion is real, not soft.
Multi‑AZ by default; multi‑region available. RTO is one hour; RPO is fifteen minutes. We test failover quarterly with full chaos drills.
Dependency scanning on every commit. Patches for known CVEs ship the same day. External pen test + bug bounty start with our first regulated customer in scope.
Here's exactly what happens when a document enters Reattend and a teammate later asks a question against it. Nothing is stored in the clear. Nothing leaves the boundary you choose.
Document captured from source (Slack, Drive, repo). TLS 1.3 over the wire. Source ACL preserved 1:1.
Vectors generated in your region. PII redaction applied on flagged classes. Object‑store write is encrypted.
Query checked against ACLs before retrieval. Only chunks the asker can see are decrypted into RAM. Nothing else.
Every answer + admin action lands in a hash-chained, append-only log. Each entry binds to the previous one's hash, so tampering breaks the chain.
Reattend runs on AWS and GCP across six regions. You pick one at sign‑up; data — including embeddings, logs, and backups — never crosses the boundary. EU‑only and India‑only deployments are available on Pro and Enterprise.
NDAs gate the audit reports themselves; the policies, DPAs, and security whitepaper are public. Trust report request gives you the full SOC 2 + ISO + pen‑test under NDA in < 24h.
Most of these documents will be available with our first paying customers in scope. The DPA + security overview are public today; the rest go live as the audits land. Email pb@reattend.ai if you need any of these for procurement and we'll tell you exactly where each one is.
Twelve answers we've given a thousand times. If yours isn't here, write to trust@reattend.com.
No. Customer prompts, documents, embeddings, and recall traffic are excluded from all training — ours and our LLM subprocessors'. Anthropic and OpenAI both run under zero‑data‑retention agreements. The only exception is opt‑in feedback your admins explicitly route to us in writing.
Whichever region you pick at sign‑up — and only that region. Embeddings, object storage, audit logs, and backups all stay inside the boundary. Cross‑region replication is opt‑in and only between regions you've explicitly approved.
Our target is to notify affected customers within four hours of confirming a P1 security incident, with a written follow‑up inside 72 hours. We don't have a contractual SLA today; that lands on the Enterprise contract with our first regulated customer. Status incidents (degraded service, not security) post to our status page in real time.
Admins can issue a full‑subject delete from the dashboard. We propagate to the records, embeddings, audit‑log archive, and the next backup cycle within 72 hours. The deletion is recorded in the hash‑chained audit log so you can prove it happened — we don't issue a separate cryptographic receipt yet.
On the roadmap, not shipped today. The product is designed for it — single Node.js + SQLite footprint, no external service dependencies for the core path — but we don't have a packaged on‑prem distribution (Helm chart, license heartbeat, etc) yet. We'll build that out with the first government / regulated customer that signs.
Every read, write, share, role change, and admin action is appended to an immutable hash‑chained audit log inside your tenant. The log is queryable from the admin dashboard and exportable as a signed CSV bundle. Streaming to external SIEMs (Splunk / Datadog / Snowflake) is on the roadmap; today the export is on‑demand, not real‑time.
Production access is currently held by the founding team only and gated by SSH key + 2FA. Every administrative session is logged. We don't have a formal break‑glass + per‑request approval workflow yet — that's planned as part of SOC 2 readiness with our first paid customers in scope.
Recall checks ACLs before retrieval — the LLM only ever sees memories the asker is authorized to read. This is the 8‑rule record visibility model in filterToAccessibleRecords, covered by 36 unit tests that block every release. The model layer is stateless across queries; we use Anthropic's API under their default zero‑data‑retention setting, so prompts and outputs aren't retained on their side either.
We notify customers in writing before adding or expanding a sub‑processor. The 30‑day window + formal mailing list is on the roadmap; today it's a direct email to your account contact. The current sub‑processor list is shared under NDA on request — email pb@reattend.ai.
None today. We're a young company; the first external pen test happens with our first regulated customer in scope, then yearly minimum thereafter. Internally we run dependency scanning on every commit and patch known CVEs the same day.
Email pb@reattend.ai with your assessor and what you need to see. We don't have a packaged trust report or pre‑mapped CAIQ / SIG Lite responses yet — at our stage, the best path is a 30‑minute call where the founder walks you through the architecture, controls, and current audit status. We respond same‑day to security review requests.
Compliance is a conversation, not a checklist. If your security or legal team needs something we haven't published — a control mapping, a draft DPA, a deeper architecture review — we'd rather talk to you directly than write it on a marketing page.
