Your data,
handled responsibly
How ReflexDB handles your data — what we replicate, what we never store, and how your credentials are protected.
You control what's replicated
ReflexDB only reads the tables and columns you explicitly declare in
your reflexdb.yaml schema config. Data you don't include
never leaves your database — not even transiently during sync.
We never read your data
ReflexDB staff have no ability to query your data. All instance queries require your API keys. There is no admin backdoor, no logging of query results, and no analytics pipeline on your rows.
Encrypted secrets store
Database passwords and SSH private keys are encrypted at rest and never written to logs. Credentials are retrieved at build time only, scoped to the build process, and not persisted anywhere in plaintext.
GDPR-compliant by default
Ireland is the default deployment region. Your data never leaves the EU unless you explicitly provision an instance in another region. Data Processing Agreements (DPA) are available on all paid plans.
TLS everywhere
All traffic between your application and ReflexDB instances is encrypted in transit. TLS certificates are automatically issued and renewed — no configuration required.
API keys and MFA
Every query endpoint requires a bearer API key. TOTP-based MFA is
supported on all accounts. Management API keys
(rmk_ prefix) are scoped to your account and hashed
before storage — the plaintext is shown once at creation and never
stored.
Verified build identity
The ReflexDB build pipeline authenticates via signed cryptographic identity before pushing optimised instance images. Only the ReflexDB builder can produce or update a running instance on your behalf.
Security disclosures
Found a vulnerability? Report it to security@reflexdb.cloud. We respond to all disclosures within 48 hours and will work with you on responsible disclosure timing.