Trust & security

Built to measure waste — not to become it.

Last updated: July 2, 2026

Your data is never used to train, never cross-tenant

Your prompts, outputs, and ingested traces are used only to run the service for your workspace. We do not train models on your data and we do not sell it. Every database read is scoped to your organization ID; the only cross-tenant surface is the opt-in, k-anonymized industry benchmark, which publishes aggregate percentiles only once enough distinct organizations contribute that no single one can be re-identified.

Metadata-only by default

Trace ingestion stores metadata only — model, token counts, cost, and latency — which is all the savings engine needs. Raw prompt/response text is stored only when you explicitly opt in per event, is redacted after a short window (30 days by default), and whole trace records age out on a configurable retention schedule.

Bring your own keys, with guardrails

Evaluations run on your own provider keys, encrypted at rest with AES-256-GCM using version-prefixed ciphertexts (v1) so encryption keys can be rotated without downtime. ReasonRank can never overspend them: every run has a pre-flight cost estimate, per-run caps, a monthly budget, an output-token ceiling, live spend tracking, and a kill switch. The optional gateway is self-hosted and single-tenant only — we never proxy your provider traffic through shared infrastructure.

Recommendations you can trust

We never repoint a production model on a hunch. A recommendation is only surfaced when a statistical non-inferiority test on real score samples shows the cheaper model is not meaningfully worse — with the confidence interval and sample size shown. After you apply one, a verification loop measures realized cost and quality from live traffic and auto-flags regressions with one-click rollback.

Tenant isolation & access

ReasonRank is multi-tenant by construction: organization-scoped access on every query, role-based permissions, audit logging of sensitive actions (viewable and exportable from Settings → Activity log), and encrypted secrets. Web sessions idle out after 24 hours with a 7-day absolute lifetime; API tokens are scoped, expire after a year by default, and rotate in one click. Access to production systems is restricted and audited.

Availability & recovery

Data is stored in Postgres with point-in-time recovery. Webhooks are idempotent, runs are reclaimed via heartbeats if a worker dies, and background jobs (verification, drift detection, retention) run on a scheduled, monitored cron. Current status: /status.

Compliance roadmap

We follow SOC 2 aligned practices today (audit logging, RBAC, encryption at rest, least-privilege access, incident response) and are on a path to formal SOC 2 Type II. Download the security packet above for our CAIQ-lite answers, DPA template, and subprocessor register — or contact sales for a custom questionnaire review.

Your rights

Export or delete your data at any time from the app; a workspace owner can permanently delete the whole workspace. For data-subject requests, email privacy@reasonrank.ai and we will confirm completion in writing. See our Privacy Policy for details.

Subprocessors

Third parties that may process customer data on our behalf.

Full register
SubprocessorPurposeData categoriesLocation
Vercel Inc.Application hosting, edge network, and serverless compute for the web app and API.
  • Account metadata
  • HTTP request metadata
  • Application logs
United States
Neon Inc.Managed PostgreSQL database (primary data store) with point-in-time recovery.
  • Workspace data
  • Evaluation results
  • Trace metadata
  • Encrypted provider credentials
  • Audit logs
United States
Stripe, Inc.Subscription billing and payment processing.
  • Billing contact
  • Subscription status
  • Payment method tokens (Stripe-held)
United States
Resend, Inc.Transactional email (invitations, alerts, verification).
  • Email address
  • Message content (transactional only)
United States
Functional Software, Inc. (Sentry)Error monitoring and performance tracing for production reliability.
  • Error payloads
  • Request metadata
  • Stack traces (PII scrubbed)
United States
Upstash, Inc.Managed Redis for background job queues (optional — used when REDIS_URL is configured).
  • Job metadata
  • Queue payloads (org-scoped job IDs)
United States