Security & Privacy

We're a security product. We hold ourselves to the same standard we help you achieve.

Zero-write policy. RemediGenius can never write to, modify, or delete anything in your cloud account. This is enforced at the AWS IAM level — not just a promise.

Your KMS Key Controls Everything

Our CloudFormation template creates a customer-managed KMS key in your AWS account. You own it. This key encrypts scan artifacts (PDF reports, raw scan output) stored in your S3 bucket.

Transparency: We also store a processed copy of your findings in our DynamoDB (EU Frankfurt) to power the dashboard, posture scoring, and AI features. This data is encrypted at rest with AWS-managed encryption (AES-256) in our EU account.

If you delete your RemediGenius account, we delete all your processed data within 30 days. Delete the KMS key in your account to make raw scan artifacts in your S3 bucket permanently unreadable.

What Data We Store

Data	Where	Encrypted With
Finding details, scan history, posture scores	Our DynamoDB (EU Frankfurt)	AWS-managed encryption (AES-256)
PDF reports, raw scan output	S3 in your AWS account	Your customer-managed KMS key
Account credentials (Role ARN + ExternalID)	Secrets Manager (our account)	AWS-managed KMS
User account info (email, company)	Supabase PostgreSQL (EU Frankfurt)	Supabase encryption

What We Never Store

IAM access keys or long-lived credentials (we use STS AssumeRole)
S3 bucket contents or application data
Database records or secrets
Personal data about your end users

Authentication

MFA Required

Email/password accounts must enroll in TOTP (authenticator app) MFA before accessing sensitive data. OAuth users (GitHub, Google) rely on their provider's MFA.

STS AssumeRole (No Stored Keys)

We never store your AWS credentials. Each scan uses temporary 1-hour credentials via AWS STS AssumeRole with your unique ExternalID.

How to Disconnect

1
Go to Settings → Cloud Accounts → Disconnect
We immediately stop accessing your account and delete your credentials from our Secrets Manager.
2
Delete the CloudFormation stack
In your AWS Console, find the RemediGeniusHQ stack and delete it. This removes the IAM role and KMS key.
3
Optional: revoke the KMS key
If you want to make any data we stored permanently unreadable, revoke or delete the KMS key in your account.

EU Data Residency & GDPR

All data is stored and processed within the EU. Our company (IACGENIUS OÜ) is registered in Estonia, EU. Under GDPR, you have full rights to access, export, and delete your data.

Compliance Status

GDPRCompliant

SOC 2 Type IIn Progress (Q3 2026)

SOC 2 Type IIPlanned (Q4 2026)

ISO 27001Planned (2027)

Responsible Disclosure

Found a security issue? Email security@remedigenius.com. We respond within 24 hours for critical issues and do not pursue legal action against good-faith researchers.

← AI Remediation Pricing Guide