Built for examination.
A forensic evidence system that can't defend its own data integrity is worthless. Every architectural decision in Redan starts with this question.
Data
Encrypted. Isolated. US-resident.
Encryption
Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Encryption is applied at the infrastructure layer — not bolted on at the application level.
US Data Residency
All customer data is stored in US-based data centers (East Coast region). Data does not leave US infrastructure by default.
Tenant Isolation
Every data row is scoped to a firm_id. Postgres RLS policies enforce tenant isolation at the database layer — not the application layer. No firm can access another firm's data even if application code fails.
Infrastructure
Production-grade infrastructure.
Database & Authentication
Database and authentication run on SOC 2 Type II certified cloud infrastructure, hosted in the United States. Redan inherits this infrastructure certification at the platform layer.
Edge Delivery
Application delivered via a globally distributed edge network with automatic HTTPS enforcement and DDoS mitigation. Infrastructure uptime SLA: 99.99%.
Point-in-Time Recovery
Database backups support point-in-time recovery (PITR). In the event of data loss, the platform can restore to any point within the retention window.
Access & Authentication
Least privilege, by design.
Role-Based Access Control
Role boundaries enforced server-side on every API request — not just in the UI. Firm Admin, CCO, Marketing, Employee, and Viewer roles each have distinct, non-overlapping permission sets.
Authentication
Managed authentication service with email + password or magic link. Sessions managed via JWT with server-side validation on every protected request.
TOTP Multi-Factor Authentication
Authenticator-app MFA (TOTP) is available for all users. Required at login once enrolled. Recovery codes are provided at enrollment and manageable from security settings.
Audit & Integrity
Immutable by architecture.
WORM Evidence Records
Evidence files, audit log entries, and CCO determination records are INSERT-only at the database policy level. No UPDATE, no DELETE — enforced by Postgres row-level security, not application code. An examiner can trust that what they see has not been altered.
SHA-256 Hash Verification
Blue Folder exports are SHA-256 hashed at generation time. The hash is recorded at export. If a file is tampered with after export, the hash will not match. Chain of custody is independently verifiable without trusting Redan.
Complete Audit Trail
Every state change — upload, approval, rejection, revision request, export — is recorded in an append-only audit log with user_id, firm_id, timestamp, and action detail. Examiners can reconstruct the full history of any record.
Compliance Posture
Honest about where we are.
We're a new company. We haven't completed every certification yet. Here's exactly where things stand.
In Place
- ✓End-to-end encryption (AES-256 at rest, TLS 1.2+ in transit)
- ✓RLS-enforced multi-tenant data isolation at the database layer
- ✓WORM-compliant immutable evidence storage (Postgres INSERT-only)
- ✓TOTP multi-factor authentication
- ✓Append-only audit trail (every mutation logged)
- ✓Documented Information Security Policy (ISP-001)
- ✓PII scrubbing in error monitoring (scrubbed before transmission)
- ✓Product analytics with form inputs never captured
- ✓SOC 2 Type II certified cloud infrastructure
In Progress
- ⧖Redan SOC 2 Type II certification (company-level audit)Target: Q4 2026
- ⧖Penetration test by independent third partyScheduled
- ⧖Content Security Policy (CSP) headersTarget: Q2 2026
- ⧖Formal vendor risk management programIn development
Questions about our security posture or timeline? security@redancompliance.com
Your Data
Your firm owns all data you upload. Redan processes it on your behalf — we do not sell it and do not use it to train models without written consent. Export requests fulfilled within 30 days. Privacy questions: privacy@redancompliance.com
Responsible Disclosure
Found a vulnerability? Email security@redancompliance.com. We acknowledge within 72 hours, investigate every credible report, and communicate remediation timelines. Good-faith researchers will not face legal action.