Skip to main content
Trust & security

Security overview

Sales calls contain deal-sensitive information. Here is exactly how we protect it.

Encryption at rest
AES-256
Encryption in transit
TLS 1.3
Compliance
SOC 2 Type II (in progress, Q3 2026)
Data residency
US (default) · EU available
Identity
SAML SSO · SCIM provisioning
Model training
Never trained on customer data

Encryption

All recordings, transcripts, and extracted insights are encrypted at rest using AES-256. All data transmitted between your browser, our API, and integrated services (HubSpot, Salesforce, Pipedrive, Slack) is protected by TLS 1.3. Encryption keys are managed via AWS KMS with automatic annual rotation.

Access controls

Production system access is restricted to a small number of authorised Reelo engineers via MFA-enforced SSO (Okta). We follow the principle of least privilege — engineers have access only to the systems required for their role. All access is logged and reviewed quarterly.

Customer data is logically isolated by organisation. No Reelo engineer accesses customer recordings or transcripts in the normal course of operations without an explicit support request from a customer admin.

SOC 2 Type II

We are currently pursuing SOC 2 Type II certification with an expected audit completion of Q3 2026. Our controls cover Security, Availability, and Confidentiality trust service criteria. Business plan customers may request a copy of our current security posture document and third-party penetration test summary under NDA by contacting security@reelo.ai.

Data residency

By default, all customer data is stored in AWS us-east-1 (Virginia, USA). Business plan customers may elect EU-only data residency, which routes and stores all data exclusively in AWS eu-west-1 (Dublin, Ireland). Data residency is configured at the organisation level before onboarding and cannot be changed retroactively.

Enterprise identity

Team and Business plans include SAML 2.0 SSO with major IdPs (Okta, Azure AD, Google Workspace). Business plans additionally include SCIM 2.0 provisioning for automated user lifecycle management, plus an audit log retaining all admin actions for 12 months.

Subprocessors and data sharing

We use a limited set of subprocessors to operate the service: AWS (infrastructure), Stripe (payments), Sentry (error monitoring), and Anthropic (AI model inference for insight extraction). A complete and current subprocessor list is available on request.

We never sell customer data. We never use customer recordings or transcripts to train our AI models or any third-party models.

Responsible disclosure

If you discover a security vulnerability in Reelo, please report it to security@reelo.ai. We aim to acknowledge all reports within one business day and resolve confirmed vulnerabilities within 30 days. We do not pursue legal action against researchers acting in good faith.