Security & SOC 2

SOC 2 Type II report is available under NDA via trust@Rebound.ai. ISO 27001:2022 certification is in progress (target Q3 2026). CMMC L3 deployment is supported via accredited partners for Fortress customers.

Data in transit: TLS 1.3 with HSTS, modern cipher suites only, certificate transparency monitoring.

Data at rest: AES-256-GCM with envelope encryption. Customer-managed keys (CMK) supported on Command and Fortress tiers via AWS KMS, Azure Key Vault, or HSM integration.

The audit ledger is signed with FIPS 140-3 validated cryptographic modules. Signing keys are isolated in customer-scoped key contexts. Key rotation is automated; rotation events are themselves recorded in the ledger.

SSO/SAML and OIDC for human access. SCIM provisioning. Workspace-scoped RBAC (OWNER, ADMIN, ANALYST, READ_ONLY). Production access by Rebound staff is just-in-time, peer-approved, audited, and limited to break-glass scenarios.

Continuous SAST/DAST, dependency scanning, and container image scanning in CI. Critical CVEs patched within 7 days; high within 30. External penetration testing twice yearly by an independent firm; latest summary available under NDA.

24/7 on-call. Customer notification within 72 hours of confirmed material incident, per GDPR and SOC 2. Public post-mortems for production incidents affecting customer workloads.

Multi-tenant Pulse and Command environments use logical isolation enforced at the application, database, and KMS layers. Fortress customers receive single-tenant deployments — typically into the customer\u2019s own VPC, GovCloud, or on-prem enclave.

We welcome coordinated disclosure. Submit findings to security@Rebound.ai (PGP key on the trust portal). We acknowledge within 24 hours and aim to remediate within SLA. Bug bounty program in beta.