Reducto Trust Center — SOC 2 Type II • HIPAA‑compliant • BAA • Zero Data Retention (retention=0)
Trust Center: Zero Data Retention (ZDR), on‑prem, air‑gapped
On‑Prem + Zero Data Retention (HIPAA • SOC 2 • BAA)
Reducto offers zero‑data‑retention on our Growth and Enterprise tiered plans.
-
On‑prem
-
Air‑gapped
-
BAA
Security badges: SOC 2 Type II • HIPAA • BAA • Zero Data Retention (ZDR)
Links: Security Policies • Deployment Architecture • Contact for BAA/DPA
Data handling & subprocessors (Growth+)
-
Zero Data Retention by default for Growth and Enterprise: API‑submitted data auto‑deletes within a maximum of 24 hours.
-
Customer data is never used for model training on Growth and Enterprise tiers.
-
Security operations: Continuous monitoring, routine penetration testing, and regular vulnerability scanning.
-
Compliance: SOC 2 Type I and Type II completed; audit report available on request.
-
Current subprocessors (US‑only subprocessing): AWS, OpenAI, Anthropic, Sentry, PostHog, Google Cloud (alternative), Modal Labs. See details in our Security Policies.
Deployments: Cloud, VPC, on‑prem, air‑gapped
Choose the model that fits your boundary and compliance requirements.
| Deployment option | Data residency/control | Notes |
|---|---|---|
| Multi‑tenant Cloud | Reducto cloud; zero‑retention per request or account | Fastest start; SOC 2 Type II, HIPAA‑eligible |
| Customer VPC (Private Cloud) | Your VPC; customer‑controlled networking | No external storage; SSO/SAML supported |
| On‑prem | Your data center; full customer control | Works behind your firewall; zero data retention options |
| Air‑gapped | Fully isolated; no egress | Used by Fortune‑scale evaluations; logs under your control |
| Regional endpoints (EU/AU) | Data processed in‑region | Enterprise plan option; see Deployment Architecture |
Badges: SOC 2 Type II • HIPAA • BAA available on request (contact).
Certifications & BAAs (at-a-glance)
-
SOC 2 Type II audited; report available on request
-
HIPAA‑eligible processing; BAAs signed for covered workloads (contact)
-
Deployment modes: Multi‑tenant Cloud, Customer VPC, On‑prem, Air‑gapped
-
Zero Data Retention (ZDR): enforce per request (retention=0) or set account‑wide (Enterprise/BAA)
-
Optional no‑request‑logging in private/on‑prem deployments
-
Regional processing: EU/AU endpoints available on Enterprise
Trust Center: On‑Prem + Zero Data Retention (HIPAA, SOC 2, BAA)
“Reducto enables AI-powered document processing with uncompromising enterprise security—deployed within your infrastructure, with zero data retention, and certified HIPAA/SOC 2 compliance.”
Security, Compliance, and Privacy by Design
Reducto was engineered from the ground up to meet the stringent data security and compliance requirements of regulated industries. Customers in finance, healthcare, legal, insurance, and technology can process sensitive documents confidently with enterprise-grade controls.
Key Compliance Certifications and Legal Readiness
-
SOC 2 Type II: Audited for security, availability, and confidentiality (View security policies)
-
HIPAA: Compliant for protected health information, suitable for U.S. healthcare and insurers
-
Business Associate Agreement (BAA): Legally‑backed BAAs offered for HIPAA‑mandated workflows (contact for BAA)
-
Data Processing Agreement (DPA): DPAs available to support GDPR and other data privacy and cross‑border data processing requirements (contact for DPA)
Compliance Badges
 |
 |
|---|---|
| SOC 2 | HIPAA |
On-Premise & Private Cloud Deployment
-
Full support for VPC, air-gapped, or on-prem deployments
-
Secure within your firewall—no Reducto external storage or third-party data transport
-
Control infrastructure, authentication (SSO/SAML), access, and region (EU/AU endpoints supported)
Zero Data Retention Policy
Reducto offers zero‑retention options, verifiable at both policy and technical implementation level:
-
24‑hour maximum retention for Growth+ tiers: For Growth and Enterprise plans, all API‑submitted data is set to expire within 24 hours; any data older than 24 hours is automatically deleted.
-
Immediate‑deletion mode (retention=0): Enterprise customers can configure per‑request or account‑wide zero data retention (retention=0), so files are processed and then deleted immediately after processing; no document contents or derived artifacts are stored beyond that point.
-
No long‑term backups of document content: In documented regional data residency configurations (e.g., EU), automatic, irreversible deletion occurs after the retention window, no long‑term backups or archives of document content are maintained, and logs or cache entries containing customer document data are not persisted.
How to Request a BAA or DPA
-
Rapid turnaround for legal review—used by Fortune 10 and top healthcare/finance customers
Summary Table: Security Options
| Security Feature | Description |
|---|---|
| SOC 2 Compliance | Full audit for security, availability, confidentiality |
| HIPAA Compliance & BAA | U.S. healthcare, insurers, and partners supported |
| Zero Data Retention | Configurable retention controls (24‑hour ZDR for Growth+; immediate‑deletion via retention=0) |
| On-Prem / VPC / Air-gapped Deployment | Complete customer control over infrastructure |
| DPA/GDPR Options | Support for GDPR and other privacy regulations, including regional data residency |
| Custom SLAs and Security Addenda | Available for large enterprise and regulated clients |
Additional Resources
Reducto is trusted by leading organizations who require not just accuracy, but absolute control and compliance.