← Reef Intelligence

Security

Last updated: March 1, 2026

Security is a core concern at Reef Insights LLC. This page describes the technical and operational security practices we apply to the Reef Intelligence platform. We are committed to protecting your account, data, and usage information.

Authentication and Credentials

  • Password hashing: Passwords are never stored in plaintext. All passwords are hashed using bcrypt with a high cost factor before being written to the database.
  • Session tokens: Authenticated sessions use cryptographically random tokens. Session tokens expire after 7 days of inactivity and are invalidated immediately on logout.
  • Session cookies: Session cookies are set with HttpOnly and SameSite=Lax flags, preventing client-side JavaScript access and cross-site request forgery.
  • Admin MFA: Administrator accounts require time-based one-time password (TOTP) multi-factor authentication for elevated actions, with backup codes for recovery.

API Key Security

  • Hashed storage: API keys are hashed using SHA-256 with a server-side pepper before storage. The raw key is displayed only once at creation and is never stored in recoverable form.
  • Rate limiting: API keys are subject to per-key and per-user rate limits (default: 120 requests/minute per key, 300 requests/minute per user) to prevent abuse.
  • Request logging: All API requests are logged with endpoint, timestamp, and IP address for security monitoring and anomaly detection. Logs are retained for 90 days.
  • IP controls: Administrators can configure IP allowlists and denylists at the key level. Suspicious IP patterns trigger automated anomaly detection.

Data in Transit

  • HTTPS/TLS: All traffic between your browser or API client and the Reef Intelligence platform is encrypted in transit using HTTPS with modern TLS protocols.
  • No mixed content: The platform does not serve sensitive resources over unencrypted HTTP.

Data at Rest

  • Passwords: Stored as bcrypt hashes only — never recoverable from the database.
  • API keys: Stored as SHA-256 hashes only — never recoverable from the database after initial display.
  • Payment data: We do not store credit card numbers, CVV codes, or full payment details. All payment data is handled directly by Stripe and subject to their PCI DSS compliance.
  • Session tokens: Stored as-issued in the database and invalidated on logout or expiry. No persistent plaintext secrets are retained.

Access Controls

  • Account isolation: Users can only access their own data, chat history, saved content, and API keys. Team members can access shared organization resources within their organization's scope only.
  • Admin separation: Admin capabilities are gated behind a separate is_admin flag and require TOTP re-verification for sensitive operations. Admin actions are audit-logged.
  • Principle of least privilege: Internal service components are scoped to the minimum permissions required to operate.

Third-Party Service Security

The platform integrates with the following third-party services, each of which maintains their own security programs:

  • Stripe — PCI DSS Level 1 certified payment processor. No card data passes through our servers.
  • AWS Simple Email Service (SES) — Transactional email delivery. Email content is limited to account confirmations and billing notifications.
  • OpenRouter — Routes Research Agent queries to AI model providers. Research queries do not include account credentials or payment information.

Monitoring and Incident Response

  • API usage is monitored in real time for anomalous patterns, including unusual request volumes, geographic anomalies, and credential stuffing indicators.
  • Suspicious IPs can be blocked at the platform level by administrators.
  • In the event of a confirmed security incident affecting personal data, we will notify affected users as required by applicable law and as promptly as circumstances allow.

Responsible Disclosure

If you discover a security vulnerability in the Reef Intelligence platform, we ask that you report it to us responsibly before public disclosure. Please email legal@reefinsights.com with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any supporting artifacts (screenshots, proof-of-concept code)

We will acknowledge your report within 2 business days and work with you to understand and resolve the issue. We ask that you give us reasonable time to address the vulnerability before public disclosure. We do not currently operate a formal bug bounty program, but we genuinely appreciate responsible researchers who help keep the platform secure.

Please do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the vulnerability. Testing that disrupts service availability or other users' access is not permitted.

Security Questions

For general security questions or concerns, contact us at legal@reefinsights.com.