Security at REPŌ

All customer data is encrypted in transit and at rest. We don't make exceptions for internal traffic, log streams, or backups.

• TLS 1.3 for every public-facing endpoint, with HSTS and modern cipher suites only.
• AES-256 encryption at rest for the primary database, file storage, and automated backups.
• Per-tenant encryption keys managed by our cloud KMS with quarterly rotation.
• Internal service-to-service traffic is mTLS-authenticated inside a private network.

Authentication uses industry-standard primitives. Authorization is role-based and enforced at the database row level.

• Passwords hashed with bcrypt at a cost factor of 12. We never store plaintext passwords or password hints.
• Optional Google SSO for workspace login, with the same RBAC checks applied as email/password.
• Role-based access control (RBAC) with three default roles — Owner, Admin, Member — and row-level security policies enforced inside the database itself.
• Leaked-password protection against the Have I Been Pwned database is checked on every signup and password change.
• Session tokens are short-lived JWTs with refresh-token rotation and immediate revocation on logout.

You always know where your data lives. Customer data is hosted in regional data centers and never silently migrated.

• Primary data stored in US East by default. EU residency available on request for customers operating under GDPR.
• Backups are stored in the same region as the primary database — they do not cross regional boundaries.
• Subprocessors are contractually bound to the same residency commitments.
• A current list of subprocessors is available on request to security@repoai.app.

REPŌ is built to meet the data-protection obligations our customers operate under.

• GDPR — we act as a data processor under Article 28. A Data Processing Agreement (DPA) is available on request and required for EU customers.
• CCPA — California residents can request access, deletion, or export of their personal information at any time via privacy@repoai.app.
• HIPAA — a Business Associate Agreement (BAA) is available for healthcare customers on the Growth and Agency plans.
• SOC 2 Type II — currently in progress. Our Type I report is targeted for Q3 2026 and Type II for Q1 2027. We will publish the report under NDA when available.

We monitor production 24/7 and follow a written incident response plan rehearsed quarterly.

• On-call engineering rotation, paged within 5 minutes of any P1 alert.
• Customer notification within 72 hours of any confirmed personal data breach (per GDPR Article 33).
• Status page at status.repoai.app reflects all customer-facing incidents in real time.
• Post-incident reviews are written for every P1, with a redacted summary shared with affected customers.

Security is part of the development lifecycle, not a separate audit phase.

• Dependency vulnerability scanning runs on every pull request. High and critical CVEs block merge.
• Static application security testing (SAST) on every build.
• Annual third-party penetration tests. Summary reports available under NDA.
• Bug bounty available — see the disclosure section below.