This article explains how Reindeer stores, protects, retains, and deletes customer data, including personal data (PII). For how data is used with large language models, see Data Privacy, Isolation, and LLM Provider Controls.
How Reindeer Handles Personal Data
Reindeer workflows process business content that often contains personal data — names, contact details, and other information embedded in the documents, messages, and records a workflow acts on. Processing this data is typically essential to the use case, so Reindeer does not filter or mask it. Personal data is protected by the same layered controls that protect all customer data:
- Single-tenant isolation. Each customer runs in a dedicated environment.
- Zero-data-retention LLM providers. Models may only be used from providers with ZDR agreements in place.
- Encryption at rest and in transit.
- Role-based access control and scoped, per-workflow permissions.
Reindeer does not offer content masking or redaction. Customers who require data minimization should apply it before data reaches Reindeer, at the source system or connector level.
Deployment Model and Data Residency
Each customer is deployed in a single-tenant environment. Customers can choose the cloud provider (AWS or GCP) and the deployment region. EU-only deployment is supported.
Encryption and Key Management
- Data is encrypted in transit and at rest.
- Encryption keys are managed through the cloud provider's key management service (KMS).
- Bring-your-own-key (BYOK) is supported.
- Managed cloud services within the environment use the cloud provider's default encryption.
LLM Provider Controls
Reindeer only permits model providers with zero-data-retention agreements in place. Customer data is not used to train third-party models, and providers do not retain prompts or completions. Full details, including what data may be included in a model request, are in Data Privacy, Isolation, and LLM Provider Controls.
Access to Customer Data
Customer-side access is governed by role-based access control; users and connectors receive only the permissions their role or workflow requires.
Reindeer-side access is restricted and auditable:
- Support staff have no standing access to customer data.
- Access requires a just-in-time request and is granted through a short-lived support token.
- All access is logged and auditable.
- A break-glass procedure exists for emergencies and requires the CISO, who is the sole holder of the break-glass keys.
Retention and Deletion
- Retention policy is defined by the customer.
- Audit logs are retained for traceability and contain metadata only, not customer content.
- Specific records can be deleted on request during the engagement.
- On contract termination, customer data is deleted — including backups — and a deletion certificate is provided within 30 days.
Regulatory Scope
- GDPR and CCPA are supported by default.
- Workloads involving health data (HIPAA) require a specific agreement before onboarding.
- Payment card data (PCI) is out of scope and must not be sent to Reindeer.
Comments
0 comments
Please sign in to leave a comment.