Trust & Security
Enterprise-grade by default.
Every answer enterprise procurement asks for — already documented.
Certifications & compliance
SOC 2 Type I
In progress
SOC 2 Type II
Roadmap
GDPR DPA
Available now
HIPAA BAA
Available on Enterprise
Data protection
- Encryption at rest: AES-256 (key rotation: 90 days).
- Encryption in transit: TLS 1.3 (HSTS preload).
-
Hard delete with cryptographic proof (GDPR
forget()). - Zero-retention mode (opt-in per namespace).
- PII detection + redaction at ingest (configurable).
- BYOK (bring your own key) — AWS KMS / GCP KMS / Azure Key Vault (Enterprise).
Subprocessors
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Anthropic | LLM inference (Dream Engine) | US | Yes |
| OpenAI | Embeddings | US | Yes |
| Railway | Compute / background workers | US | Yes |
| Supabase | Primary memory database (Postgres + pgvector) | US (us-east-1) | Yes |
| Cloudflare | CDN / WAF | Global | Yes |
| Vercel | Frontend hosting / marketing site | Global edge | Yes |
| Stripe | Billing | US | Yes |
| OAuth 2.0 (console login only) | Global | Yes |
Bug bounty & disclosure
Responsible disclosure rewarded. Scope: remlabs.ai, console.remlabs.ai, api.remlabs.ai. Report to dev@remlabs.ai. PGP key on /.well-known/security.txt.
We publish post-mortems within 5 business days for any SEV-1.
Documents
- Data Processing Agreement (DPA) — email dev@remlabs.ai
- Subprocessor list — on this page
- Privacy policy — /privacy
- Security whitepaper — Request via dev@remlabs.ai
- Threat model summary — Request via dev@remlabs.ai