Security is the product.
We build security tooling. We hold ourselves to the same standard we set for our customers.
Responsible disclosure
If you discover a vulnerability in RAE’s systems, please email security@userae.com. Include the following in your report:
- Description of the vulnerability.
- Steps to reproduce.
- Potential impact.
- Your contact information (optional).
We will acknowledge receipt within 24 hours and provide a timeline for resolution. We ask that you give us 90 days to fix the issue before public disclosure. We do not offer a bug bounty at this stage, but we will credit researchers who report valid vulnerabilities (if they wish).
What we protect
- The RAE control plane API and web application.
- Customer audit data and metadata.
- The detector model weights and training corpus.
What we don’t protect (by design)
The RAE on-prem node runs in your network. We don’t have access to it. Security of the node deployment is a shared responsibility — we provide hardening guidance in the onboarding call.
Data security practices
- Audit endpoint responses are encrypted at rest (AES-256) and in transit (TLS 1.3).
- The control plane is hosted on infrastructure that meets SOC 2 Type II requirements.
- We do not store raw prompts or responses beyond 30 days.
- Node metadata is one-way anonymised before use in training.
Our commitment
RAE is a security company. If we find a vulnerability in our own product, we will disclose it to affected customers within 24 hours of confirmation.
Contact: security@userae.com