Security FAQ

This FAQ provides technical and security insights into Reactor's platform architecture, access controls, compliance posture, and data protection measures. It addresses commonly asked questions by client security, IT, and compliance teams.

Access Control

Q: Does Reactor support Single Sign-On (SSO)?

A: Yes. Reactor supports partial SSO using Google OAuth but Full SAML 2.0  and OIDC-based SSO (e.g., Okta) is on the roadmap, the timeframe is TBD.

Q: Is Multi-Factor Authentication (MFA) available?

A: Yes. MFA is enforced for all user accounts not using SSO.

Q: Does Reactor support Role-Based Access Control (RBAC)?

A: Yes. RBAC is fully implemented for user and workspace-level permission management within the UI.

See our help article Manage Users and Permissions for more information about role-based access controls.

Q: Is user activity logged?

A: Yes. User activity is logged and monitored across the platform.

Data Protection

Q: Is data encrypted at rest and in transit?

A: Yes. All data is encrypted using industry-standard algorithms at rest and in transit (TLS).

Q: How is data anonymization or masking handled?

A: Reactor provides capabilities for hashing, masking, and anonymizing data. Clients are responsible for specifying which fields to transform.

Q: Are there backup and recovery procedures?

A: Yes. Reactor follows regular data backup schedules and supports disaster recovery protocols.

Application Security

Q: What secure coding practices are in place?

A: Reactor follows secure coding standards with regular peer code reviews and static analysis.

Q: Are vulnerability scans and penetration tests performed?

A: Yes. Quarterly penetration tests are performed. Vulnerability scans and patch management are conducted regularly.

Q: How does Reactor prevent common exploits like SQL injection or XSS?

A: The platform includes safeguards against SQL injection, XSS, CSRF, and other OWASP vulnerabilities.

Q: Is API security enforced?

A: Yes. API access is secured using input validation, rate limiting, and secure token handling.

Incident Response

Q: Does Reactor have a documented incident response plan?

A: Yes. It includes real-time alerts, escalation paths, forensic investigation procedures, and post-incident reviews.

Q: What systems are used for incident monitoring?

A: Reactor uses Google Security Command Center (SEIM) for continuous security monitoring.

Q: Are logs retained for forensic investigation?

A: Yes. Access and admin logs are retained for at least one year.

Network Security

Q: Is network segmentation implemented?

A: Yes. Production and sandbox environments are isolated using separate GCP VPCs.

Q: Are DDoS protection and network monitoring in place?

A: Yes. Reactor uses GCP-native and third-party monitoring tools and DDoS protections.

Integration Security

Q: How are API tokens and secrets managed?

A: Tokens are securely stored. High-risk key material is reviewed and rotated periodically.

Q: Are third-party services evaluated for security?

A: Yes. Reactor follows a formal vendor management process with corresponding CUECs.

Q: Is third-party access revocable during an incident?

A: Yes. Access can be disabled and revoked immediately.

Compliance

Q: What certifications does Reactor have?

A: Reactor has completed a SOC-2 Type II audit and was issued an audit report for the 2024 audit period in Q1 2025. Reactor is in an annual audit cycle, and we expect our next audit report to be issued in Q1 2026.

Q: Is Reactor PCI DSS compliant?

A: Partially. Reactor does not process credit card details but handles peripheral transaction and shipping data.

Q: Are there data breach handling procedures?

A: Yes. Data breach handling and notification procedures align with legal and industry standards.

Privacy

Q: How does Reactor manage data privacy?

A: Clients control which data is processed. Reactor adheres to privacy principles outlined in its Privacy Policy and SaaS Agreement.

Q: Does Reactor support data subject requests (e.g., deletion)?

A: Yes. API endpoints are available to fulfill user data rights.

Q: Is data minimized and purpose-limited?

A: Yes. Clients define the scope of ingested and processed data.

Internal Development Sandbox Environment

Q: Is the sandbox environment isolated from production?

A: Yes. It uses separate infrastructure and access policies.

Q: Is anonymized or synthetic data used in sandbox testing?

A: Yes, where applicable, and clients are encouraged to avoid real data.

Q: Are logs and monitoring enabled in sandbox environments?

A: Yes. Activities are logged and monitored for anomalies.

For further details or to request documentation for your security team, please contact: support@reactordata.com