Trust

Security

Last updated: May 17, 2026

RepQ analyzes recorded customer conversations, which is sensitive data. This page describes the controls we have in place today and how to reach us with security questions or vulnerability reports. We’d rather be honest about what is and isn’t in place than overclaim.

1. Tenant isolation

Every record in our database is scoped to an organizationId and queried through enforced filters. Our application code does not have a code path that reads or writes rows without an organization scope, and we add tests that fail builds when boundary checks are missing.

2. Encryption

  • In transit: TLS 1.2+ everywhere. HSTS is enabled with a one-year max-age and includeSubDomains.
  • At rest: RDS PostgreSQL and S3 are encrypted with AWS-managed KMS keys.
  • Transcripts: Encrypted at the application layer with AES-256-GCM before being persisted, using a key held in AWS Secrets Manager and rotated separately from the database credentials.
  • Sync configurations: Per-organization sync secrets (e.g., audio-source authentication headers) are encrypted with AES-256-GCM using a separate key.

3. Authentication

Customer authentication is handled by Auth0. We do not store customer passwords on our infrastructure. SSO (OIDC / SAML) is available on request.

4. Network architecture

The application runs on AWS ECS Fargate in eu-north-1. Workers (pipeline and CRM sync) run in private subnets and reach the internet via a single NAT gateway with a fixed outbound IP, which customers can allowlist for inbound webhook calls.

5. Audit logging

Sensitive operations (sign-in, data access, admin actions, GDPR deletions, calls purges) are written to a structured audit log. Logs are stored in AWS CloudWatch with restricted access.

6. Resilience

External AI services (Speechmatics, OpenAI, Anthropic) are called through circuit breakers with stage timeouts and stale-job recovery. The pipeline emits worker-stalled alarms with an end-to-end MTTD of about 25–30 minutes worst case.

7. Vulnerability handling

We welcome reports from security researchers. Email security@repq.ai. Please include reproduction steps and your contact info. We will acknowledge within two business days and aim to triage within five.

Please do not probe production with disruptive techniques (DoS, mass scanning, exfiltration of other tenants’ data). We will not pursue legal action against good-faith research that follows this scope.

8. Subprocessors

The current production subprocessors are:

  • AWS(eu-north-1) — compute, storage, networking, secrets management.
  • Auth0 (Okta)— identity and authentication.
  • Anthropic— LLM analysis of transcripts.
  • OpenAI— embeddings (text-embedding-3-small).
  • Speechmatics — speech-to-text.
  • Resend— transactional and demo-request email.
  • Sentry — error monitoring.

9. What we do not (yet) claim

We are not currently SOC 2 or ISO 27001 certified. We follow the practices listed above and are happy to work through a security questionnaire on request. We will update this page when formal certifications land.

10. Contact

Security questions or vulnerability reports: security@repq.ai.

← Back to repq.ai