Skip to main content
RedactifyAI Logo

Security at RedactifyAI

Last updated: May 10, 2026  |  RockQube Technologies LLC

RedactifyAI processes sensitive legal documents on behalf of law firms and legal professionals. This page covers how external researchers can report vulnerabilities and how we secure customer data.

Responsible Disclosure Policy

How to report

Email admin@redactifyai.com with the subject line "Security Vulnerability Report". Please include:

  • A description of the vulnerability and the potential impact
  • Steps to reproduce or proof-of-concept material
  • Affected URL or component
  • Your contact information (optional; anonymous reports are accepted)

Our commitments

  • We will acknowledge your report within 1 business day.
  • We will keep you informed throughout the investigation.
  • We will not take legal action against researchers who act in good faith and follow this policy.
  • We will not share your personal information without your consent.

Legal safe harbor

Security research conducted in accordance with this policy is authorized. We will not initiate legal action under the CFAA, DMCA, or similar laws against researchers who:

  • Act in good faith to discover and report vulnerabilities
  • Avoid privacy violations, service disruption, or data destruction
  • Do not access or exfiltrate data beyond what is necessary to demonstrate the vulnerability
  • Allow us 90 days from initial report to resolve the issue before any public disclosure

Scope

In scope: redactifyai.com and app.redactifyai.com. Out of scope: third-party services (AWS, Stripe, Clio), social engineering, and physical security.

Remediation timelines

Severity CVSS Score Target Resolution
Critical / Actively Exploited 9.0+ 24 to 48 hours
High 7.0 to 8.9 7 days
Medium 4.0 to 6.9 30 days
Low 0.1 to 3.9 90 days

Security Overview

Infrastructure

  • All services run on AWS (us-east-1): Cognito, DynamoDB, S3, Lambda, ECS Fargate, CloudFront, and KMS.
  • TLS 1.2 minimum enforced at every layer. CloudFront redirects all HTTP to HTTPS. HSTS is set for one year with includeSubDomains; preload.
  • Data at rest encrypted with AWS KMS customer-managed keys. Automatic key rotation is enabled.
  • Secrets stored in AWS SSM Parameter Store (SecureString). No credentials are committed to source control.
  • AWS CloudTrail enabled as a multi-region trail with log file integrity validation covering all management events.

Authentication and access control

  • Authentication is handled by AWS Cognito. Passwords are never stored by RedactifyAI. A minimum 12-character password with uppercase, lowercase, number, and symbol is required.
  • Every API endpoint requires a Cognito-issued JWT, verified against Cognito's JWKS endpoint (RS256) on each request.
  • Four roles (owner, admin, editor, viewer) are enforced server-side. Every database record and file is scoped to a workspace; cross-tenant access is not possible at the data layer.
  • Session cookies are set with HttpOnly, Secure, and SameSite=None.

Vulnerability management

  • GitHub Dependabot scans npm and pip dependencies across all services weekly.
  • ECR image scanning (scan_on_push) runs on every container image push to detect known CVEs.
  • Patches are deployed through GitHub Actions and Terraform with staging validation before production.

Data handling

  • Customer documents are processed within our AWS perimeter. No document content is sent to any external AI provider in production.
  • S3 buckets have public access fully blocked, per-workspace key prefixes, and versioning enabled.
  • DynamoDB tables have point-in-time recovery (35-day window) and deletion protection enabled in production.
  • On account termination or customer-initiated deletion, all documents and detection results are purged from S3 and DynamoDB.
  • All data is stored and processed in the United States (AWS us-east-1).

Contact

To report a security vulnerability or ask a security or compliance question, email admin@redactifyai.com with the subject line "Security Vulnerability Report".