This article explains how Remindax protects your data: where it is stored, how it is secured, who can access it, and what controls are in place to keep your organization's documents and reminders safe.

If you are evaluating Remindax for enterprise use or have a security questionnaire to complete, this page is the right starting point. For additional details, contact us at [email protected].

Audience: all users — particularly IT administrators, compliance officers, and procurement teams evaluating Remindax. Last reviewed June 2026.

Hosting infrastructure

Remindax is hosted entirely on Amazon Web Services (AWS), one of the world's most widely trusted cloud infrastructure providers.

AWS maintains the following certifications relevant to enterprise customers:

  • SOC 1, SOC 2 Type II, and SOC 3 — independently audited controls over security, availability, and confidentiality.
  • ISO 27001 / ISO 27017 / ISO 27018 — international information security management standards.
  • HIPAA eligibility — AWS services used by Remindax are covered under AWS's HIPAA eligibility program.
  • PCI DSS Level 1 — payment card infrastructure controls.
  • FedRAMP (select services) — US federal government security authorisation.

AWS is responsible for the physical security of data centres, hardware, networking, and virtualisation layers. Remindax is responsible for everything built on top of that infrastructure, including application security, access controls, and data handling — as described in the sections below.

Important note on compliance claims: AWS's certifications apply to the infrastructure layer. Remindax as an application has not independently completed a SOC 2 audit or HIPAA Business Associate Agreement (BAA) program at this time. If your organisation requires a signed BAA or a copy of a SOC 2 report, please contact us at [email protected] to discuss your requirements.

Data storage & residency

  • All customer data is stored in AWS data centres located in the United States.
  • Data is stored in encrypted form at rest using AES-256 encryption.
  • Backups are encrypted using the same standard and stored in geographically separate AWS regions to protect against regional outages.
  • Remindax does not currently offer region-specific data residency (e.g. EU-only storage). If this is a requirement, contact us to discuss your use case.

Data in transit

  • All data transmitted between your browser or mobile app and Remindax servers is encrypted using TLS 1.2 or higher.
  • HTTP connections are automatically redirected to HTTPS. Plain HTTP is not accepted.
  • API communications (including integrations with Google Drive, Slack, and Microsoft Teams) use encrypted connections enforced at the transport layer.

Authentication & access controls

For your team
  • Remindax supports email and password authentication with enforced password complexity requirements.
  • Two-factor authentication (2FA) is available and can be enforced at the workspace level by administrators.
  • Session tokens expire after a period of inactivity. Users are automatically logged out of inactive sessions.
  • Role-based access control (RBAC) allows administrators to assign Admin, Standard User, or Read-Only roles. Each role carries distinct permissions for viewing, creating, editing, and deleting records.
  • Workspace administrators can revoke access for departed team members at any time from Manage → Users.
For Remindax staff
  • Access to customer data by Remindax employees is restricted on a strict need-to-know basis.
  • Production system access requires multi-factor authentication.
  • Access is logged and reviewed periodically.

File storage & attachments

  • Documents and files uploaded to Remindax (via Drive or direct attachment) are stored in AWS S3 with server-side encryption enabled.
  • Files are accessible only to authenticated users within your workspace who have the appropriate role permissions.
  • Remindax staff do not access uploaded documents except when explicitly required to resolve a support issue, and only with your consent.

Third-party integrations

Remindax integrates with the following third-party services. Each connection uses OAuth 2.0 or equivalent token-based authorisation — Remindax never stores your third-party account passwords.

  • Google Drive — file sync and document storage (OAuth 2.0).
  • Google Calendar — deadline sync (OAuth 2.0).
  • BambooHR — HR document tracking (API key, workspace-managed).
  • Slack — reminder notifications (OAuth 2.0).
  • Microsoft Teams — reminder notifications (OAuth 2.0).
  • Zapier — workflow automation (OAuth 2.0).
  • Microsoft AppSource — enterprise distribution (OAuth 2.0).
  • Twilio (SMS) — SMS reminder delivery (server-to-server, no user credential).
  • WhatsApp Business API (Meta) — WhatsApp reminder delivery (server-to-server).

You can revoke any integration at any time from Manage → Integrations. Revoking an integration removes Remindax's access token and stops all data exchange with that service.

Data retention & deletion

  • Active data: your reminders, documents, contacts, and workspace settings are retained for as long as your account is active.
  • Deleted records: most deletions are soft-deleted (records are moved to a 30-day recycle window before permanent removal). This protects against accidental deletion.
  • Account cancellation: upon workspace deletion or plan cancellation, customer data is permanently deleted from production systems within 30 days. Backup copies are purged on their standard rotation schedule (typically within 90 days of the deletion date).
  • Export before you leave: you can export your reminders, contacts, and documents at any time before cancellation. Go to Import → Export in the main navigation.

AI SmartDoc & document processing

Remindax's AI SmartDoc feature processes uploaded documents to extract expiry dates, document types, and other fields. The following applies to AI processing:

  • Documents submitted to SmartDoc are sent to our AI processing pipeline for OCR and field extraction.
  • Remindax uses OpenAI's API as the underlying AI processing service for document analysis. Documents are transmitted to OpenAI under a data processing agreement that restricts use of your data for model training.
  • Extracted data is stored in your Remindax workspace. The original document is stored in Drive (AWS S3).
  • SmartDoc does not store raw document content beyond what is needed to complete the extraction.

If you have strict requirements around AI processing of sensitive documents (e.g. medical records, legal contracts), we recommend reviewing the AI processing flow with your data protection officer before enabling SmartDoc on those document types.

Subprocessors

Remindax uses the following key subprocessors to deliver the service:

  • Amazon Web Services — cloud infrastructure, storage, compute.
  • OpenAI — AI document extraction (SmartDoc).
  • Twilio — SMS delivery.
  • Meta (WhatsApp Business API) — WhatsApp delivery.
  • Stripe — payment processing.
  • Google (Workspace APIs) — Drive and Calendar integrations.

A full and current subprocessor list is available on request at [email protected].

Vulnerability disclosure

If you discover a security vulnerability in Remindax, please report it responsibly to [email protected]. We aim to acknowledge reports within 2 business days and provide a resolution timeline within 5 business days. We do not currently operate a formal bug bounty program, but we take all responsible disclosures seriously and will credit researchers who report valid issues (with their consent).

Please do not publicly disclose potential vulnerabilities before we have had a reasonable opportunity to investigate and remediate.

Compliance questionnaires & security reviews

We understand that enterprise procurement often requires a formal security review. If your organisation requires any of the following, contact [email protected]:

  • Completed vendor security questionnaire (VSQ / SIG Lite).
  • Data Processing Agreement (DPA) for GDPR compliance.
  • Evidence of AWS compliance certifications.
  • Information about our internal security practices and policies.
  • Discussion about HIPAA or SOC 2 requirements for your use case.

We will respond to security review requests within 3 business days.

GDPR & privacy

Remindax is committed to compliant handling of personal data under the General Data Protection Regulation (GDPR) for users in the European Economic Area and UK.

  • Remindax acts as a data processor with respect to personal data your organisation stores in the platform (e.g. contact names, email addresses). Your organisation is the data controller.
  • Our full Privacy Policy is available at remindax.com/privacy-statement.
  • To request a Data Processing Agreement (DPA), contact [email protected].
  • For individual data subject requests (access, deletion, portability), contact [email protected].

Frequently asked questions

Is Remindax HIPAA compliant? Remindax is hosted on AWS infrastructure that is HIPAA-eligible. However, Remindax has not completed a formal HIPAA compliance program or Business Associate Agreement (BAA) at this time. If HIPAA compliance is a hard requirement for your organisation, contact us at [email protected] to discuss your specific use case and timeline.

Is Remindax SOC 2 certified? Remindax has not independently completed a SOC 2 Type II audit at this time. Our infrastructure provider (AWS) maintains SOC 2 Type II certification, and we can provide AWS compliance documentation on request. We are evaluating a formal SOC 2 program — contact us if this is a requirement for your evaluation.

Where is my data stored? All data is stored on AWS infrastructure in the United States.

Can Remindax staff read my documents? Remindax staff do not access uploaded documents in the normal course of operations. Access to customer data is restricted, logged, and requires multi-factor authentication. Exceptions apply only when you request support assistance and explicitly grant access.

What happens to my data if I cancel? Your data is permanently deleted within 30 days of account cancellation. We recommend exporting your data before cancelling. See Import → Export in the main navigation.

Does Remindax sell my data? No. Remindax does not sell, rent, or share customer data with third parties for advertising or marketing purposes. See our full Privacy Policy for details.

Does AI SmartDoc train on my documents? No. Documents processed by SmartDoc are transmitted to OpenAI under an agreement that restricts use of your data for model training. Your documents are used solely to complete the extraction task.

Contact

For security, privacy, or compliance inquiries:

This article reflects Remindax's security posture as of the date shown above. Security practices are updated regularly. For the most current information, contact [email protected].