Reputafy

Reputafy / Legal

Security

Last updated 11 May 2026

Reputafy is operator-grade infrastructure. This page summarizes our security posture. For specific controls, see Annex II of our Data Processing Addendum.

Encryption

  • AES-256 encryption for data at rest, including backups.
  • TLS 1.2 or higher for all data in transit, with HSTS enforced.
  • Production secrets managed via a hardware-backed Key Management Service with envelope encryption.

Access control

  • Role-based access control with least-privilege defaults.
  • Mandatory multi-factor authentication for all Reputafy staff.
  • Production access requires just-in-time elevation with peer review, time-bound credentials, and full audit logging.
  • Quarterly access reviews; immediate revocation on offboarding.

Application security

  • SAST and dependency scanning on every pull request.
  • Annual third-party penetration testing.
  • Continuous vulnerability management with SLAs by severity.
  • Single-tenant logical isolation per Customer workspace.

Vulnerability disclosure program

We welcome reports from security researchers. Please send findings to amine@reputafy.com with a clear description, reproduction steps, and your contact information. We acknowledge within one business day and follow a coordinated disclosure timeline of up to 90 days, extended only with researcher agreement.

We do not pursue legal action against researchers who act in good faith and stay within the scope of this program: testing only against your own Reputafy account, no automated scanning above 5 requests per second, no data exfiltration, no service degradation.

Incident response

Process

We operate a documented incident-response runbook with a 24/7 on-call rotation. Severities map to response objectives:

  • SEV-1 — service unavailable. 15-minute response target, 4-hour resolution target.
  • SEV-2 — degraded performance or feature unavailability. 1-hour response, 24-hour resolution.
  • SEV-3 — single-Customer impact or minor regression. Next-business-day response.

Customer notification

For confirmed personal-data breaches, we notify affected Customers without undue delay and within 72 hours of becoming aware, including the categories of data and individuals affected, likely consequences, and the measures we have taken.

Compliance roadmap

  • GDPR / UK GDPR — in production.
  • Google API Services User Data Policy — compliant, including the Limited Use requirements. See our Google API disclosure.
  • SOC 2 Type II — observation period in progress.
  • ISO 27001 — on roadmap.
  • HIPAA (where applicable) — Business Associate Agreement available on the Enterprise plan.

Contact

Security questions, audits, or disclosures: amine@reputafy.com. For incident notifications you have received from us, reply to the original incident ticket.