# Reflex — Security & trust overview (procurement brief)

**Version:** 2026-05  
**Purpose:** One-page orientation for vendor risk reviews. Not a substitute for a signed DPA or enterprise order form.

## 1. Product boundary

Reflex provides a **control plane** (web app, APIs) and optional **server agents** that run on customer Linux hosts. You remain the data controller for application and end-user content on your servers; Reflex processes operational telemetry and configuration you send to the platform under your instructions.

## 2. Encryption and transport

- Dashboard and API traffic use **HTTPS (TLS 1.2+)**.
- Agent authentication uses **scoped tokens**; rotate from the UI if a host is decommissioned.

## 3. Compliance roadmap

- **SOC 2 Type II:** Evidence and control operation are maintained on a **readiness path**; ask sales for the latest SOC report or bridge letter before relying on certification in contracts.
- **GDPR (UK/EU):** Privacy policy and DPA templates cover lawful bases, retention, subprocessors, and international transfers. Enterprise buyers may request the **subprocessor register** and **RPA** excerpts.

## 4. Vulnerability disclosure

Report security issues only through the process on **[/security](/security)**. Please allow reasonable time to remediate before any public disclosure.

## 5. Enterprise add-ons

- **SSO / SCIM:** Directory-driven access with seat limits enforced for Solo/Studio (see billing FAQ).
- **Audit trail:** Retention varies by tier; exports are available to workspace admins.

---

*For the live trust narrative and links to policies, see **[/trust](/trust)**.*