Built for examination.
A forensic evidence system that can't defend its own data integrity is worthless. Every architectural decision in Redan starts with this question.
Data
Encrypted. Isolated. US-resident.
Encryption
Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Encryption is applied at the infrastructure layer — not bolted on at the application level.
US Data Residency
All customer data is stored in US-based data centers (East Coast region). Data does not leave US infrastructure by default.
Tenant Isolation
Every data row is scoped to a firm-level identifier. Row-level security policies enforce tenant isolation at the database layer — not the application layer. No firm can access another firm's data even if application code fails.
Infrastructure
Production-grade infrastructure.
Database & Authentication
Redan is SOC 2 Type I certified at the company level. Type II audit is in progress (Q4 2026 target). Underlying infrastructure providers are independently SOC 2 Type II certified.
Edge Delivery
Application delivered via a globally distributed edge network with automatic HTTPS enforcement and DDoS mitigation. Our edge infrastructure provider maintains a 99.99% uptime SLA.
Point-in-Time Recovery
Database backups support point-in-time recovery (PITR). In the event of data loss, the platform can restore to any point within the retention window.
Access & Authentication
Least privilege, by design.
Role-Based Access Control
Role boundaries enforced server-side on every API request — not just in the UI. Firm Admin, CCO, Marketing, Employee, and Viewer roles each have distinct, non-overlapping permission sets.
Authentication & MFA
Email + password authentication with TOTP authenticator-app MFA required for all users. Every session must satisfy AAL2 — a session without a completed MFA challenge cannot access the platform. Recovery codes provided at enrollment.
Session Security
Trusted devices are explicitly registered, carry an expiry, and can be revoked centrally by a firm admin. Removing a user from the firm immediately invalidates their access — no waiting for a session to expire.
Audit & Integrity
Immutable by architecture.
WORM Evidence Records
Evidence files, audit log entries, and CCO determination records are INSERT-only at the database policy level. No UPDATE, no DELETE — enforced by Postgres row-level security, not application code. An examiner can trust that what they see has not been altered.
SHA-256 Hash Verification
Blue Folder exports are SHA-256 hashed at generation time. The hash is recorded at export. If a file is tampered with after export, the hash will not match. Chain of custody is independently verifiable without trusting Redan.
Complete Audit Trail
Every state change — upload, approval, rejection, revision request, export — is recorded in an append-only audit log with user_id, firm_id, timestamp, and action detail. Examiners can reconstruct the full history of any record.
Your Data
Your firm owns all data you upload. Redan processes it on your behalf — we do not sell it and do not use it to train models without written consent. Export requests fulfilled within 30 days. Privacy questions: privacy@redancompliance.com
Responsible Disclosure
Found a vulnerability? Email security@redancompliance.com. We acknowledge within 72 hours, investigate every credible report, and communicate remediation timelines. Good-faith researchers will not face legal action.