Security
Security is foundational to ReductrAI's architecture. Your data never leaves your infrastructure.
Stateless by Design
ReductrAI's most important security feature is what we don't do:
Your Data Never Leaves Your Infrastructure
All telemetry processing happens locally. We never see, store, or transmit your logs, metrics, traces, or investigation data. There's nothing to breach because we don't have it.
Architecture Security
Local Processing
All data analysis runs in your environment. Raw telemetry never leaves.
No Phone Home
Only license validation and optional LLM queries leave your network.
Human-in-the-Loop
No automated remediation without your explicit approval.
Audit Trail
All investigations and approvals logged locally for compliance.
Infrastructure Security
- TLS Everywhere: All API communications encrypted in transit
- License Key Security: Keys are hashed, never stored in plain text
- Webhook Signing: HMAC signatures for webhook authenticity
- Rate Limiting: Protection against abuse and DoS attacks
- Open Source Agent: Security teams can audit the code that runs in your environment
Compliance
ReductrAI's stateless architecture simplifies compliance because there's no customer data to protect on our side:
SOC 2
Compatible — No customer data storage means reduced scope
HIPAA
Compatible — PHI stays in your environment, we never see it
GDPR
Compliant — We process minimal personal data (email for license only)
PCI-DSS
Compatible — Payment data handled by Stripe, card data never touches us
Responsible Disclosure
We appreciate security researchers who help keep ReductrAI secure. If you discover a vulnerability:
- Email security@reductrai.com
- Include detailed reproduction steps
- Allow reasonable time for remediation before public disclosure