R.Reconnaissance
Log in Start free
Legal

Security

Our commitments, our architecture, and what we'd like you to verify yourself.

Infrastructure

Reconnaissance runs on:

  • Netlify for frontend hosting and serverless functions. ISO 27001 / SOC 2 Type II certified.
  • Supabase (AWS-backed Postgres) for primary data storage. SOC 2 Type II certified. US region by default, EU region available on Enterprise.
  • Cloudflare in front of all user traffic for DDoS protection and WAF.

Data encryption

  • In transit: TLS 1.3 everywhere. HSTS enforced.
  • At rest: AES-256 at the database layer. CRM tokens encrypted with a separate key.
  • Secrets management: No secrets committed to the repo. Environment variables managed in Netlify and Supabase.

Access controls

  • Row-level security enforced on every public Postgres table — users can only read and write their own workspace's data.
  • Service-role key (bypasses RLS) held only in Netlify Functions. Never exposed to the browser.
  • Google OAuth for authentication. Magic-link fallback for users without Google.
  • SSO / SAML available on Enterprise (Okta, Azure AD, Google Workspace).
  • Team access to production data is logged, time-limited, and requires 2FA.

AI & prompt privacy

When we call an LLM provider (Anthropic, OpenAI, Google) on your behalf, we do so under their B2B terms that prohibit training on your content. Your prompts, your research, and your outreach are never used to train a generic model.

LinkedIn OAuth tokens are stored exclusively server-side in a dedicated linkedin_tokens table and never exposed to the browser. All LinkedIn API calls go through our server-side proxy.

Error monitoring

We use Sentry for error monitoring in both the frontend and serverless functions. Before events are uploaded, a scrubber strips email addresses, API keys, HubSpot tokens, LinkedIn URLs, and full request bodies. Only opaque Google OAuth subjects identify users in error reports.

Vulnerability disclosure

Found a security issue? We appreciate responsible disclosure. Email security@reconnaissance.ai with:

  • A description of the issue
  • Reproduction steps
  • Your assessment of impact

We'll acknowledge within 48 hours and keep you updated until the issue is resolved.

Compliance roadmap

SOC 2 Type II audit is in progress with a targeted completion of Q3 2026. GDPR-ready today (Enterprise DPA available). HIPAA is not currently in scope.

What we don't do

  • We don't send marketing emails based on your prospect data. Your prospect list stays in your workspace.
  • We don't sell data to list brokers.
  • We don't store plain-text passwords. Authentication goes through OAuth providers.
  • We don't run the Chrome extension without your consent — it requires explicit install and key entry.

Incident response

In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of confirming the incident, as required by GDPR. Post-incident reports are published at status.reconnaissance-ai.com.

Contact

Security questions: security@reconnaissance.ai.