Trust & Security

How Reggie protects your data

We'd rather be defensibly honest than impressive. Below is what's true today, what's on the roadmap with a target, and what we deliberately don't claim.

Available today

Encryption in transit
TLS 1.3 on every request between your browser, Reggie's servers, and our database.
Encryption at rest
AES-256 on the managed Postgres database and storage.
EU data residency (primary database)
Your account, briefings, contacts and notes are stored in the EU region of our managed database provider.
Row-level isolation
Every user-data table enforces row-level security scoped to your account ID. Other users cannot read your contacts, threads or pinned items.
Authentication
Email + password and Google sign-in, with password reset and short-lived session tokens.
Source transparency
Every claim Reggie surfaces — in briefings, Ask answers, and enriched contacts — carries the original source URL. You can verify everything we tell you.
Data subject rights
Public request form for access, correction, objection and erasure — for users and for people enriched into a customer's network.
Two-factor authentication (TOTP)
Optional authenticator-app enrolment under Settings → Security, with re-auth required for account deletion.
Leaked-password check
New and changed passwords are blocked if they appear in the Have I Been Pwned breach database.
Configurable data retention
Per-user retention windows for intel items and Ask conversations (30 days–10 years), with a daily sweep. Contacts you've added are never auto-deleted.
Enrichment rate limit
Best-effort cap of 50 contact enrichments per 24 hours per user, to prevent runaway lookups.
Audit logging
Append-only log of sign-ins, contact lifecycle events, exports, deletions and pins. Visible per-user under Settings → Audit log, account-wide for admins, with CSV export and 1-year retention.

On the roadmap

SOC 2 Type II
Requires a 6–12 month observation window with an external auditor. We will publish the report once available. Until then we make no SOC 2 claim.
SSO / SAML for Enterprise
Supported by our auth provider; will be enabled per Enterprise customer on request.
EU-only LLM inference
Dependent on our model gateway's region support. Today, inference may route via non-EU regions; we'll document the current path in our DPA.

What we deliberately don't claim

End-to-end encryption
Reggie reads your data in plaintext to generate suggestions and match contacts. We claim 'encrypted in transit and at rest' — not E2EE — because that's the truth. Any vendor offering both LLM analysis and E2EE is mis-stating one of them.
ISO 27001
Not yet pursued. We won't list it until we hold the certificate.

Sub-processors

Third parties that process your data on our behalf. We update this list before adding a new one.

ProviderPurposeRegion
Managed Postgres & authDatabase, authentication, file storageEU
LLM gateway (Gemini family)Briefing analysis, Ask, contact matchingMixed — documented in DPA
FirecrawlPublic web search for source verification and contact enrichmentUS
GoogleOAuth sign-in only (no data sharing)US

Contact

Last reviewed: July 2026. Material changes to this page are dated.