Security Overview

Last updated: June 9, 2026

This page describes the security practices that protect the Reactiv platform and the data processed by it. For our service-level commitments — including availability targets, recovery objectives, and incident response timelines — see the Service Level Agreement.

Hosting & infrastructure

Reactiv's production services are hosted on Amazon Web Services (AWS) in the us-east-1 (Northern Virginia) region. Production workloads are deployed across multiple availability zones (multi-AZ) within that region, providing resilience against the failure of any single zone. Cross-region failover is not currently in scope.

Availability & resilience

Reactiv maintains published availability targets and recovery objectives for each service category:

Dashboard, Mobile App Platform, Mobile App Clip Platform, and Integration Services target 99.95% monthly availability.
Data Systems and AI Services target 99.7% monthly availability.
Production data is backed up on a rotating schedule — daily backups retained for 35 days, weekly for 90 days, and monthly for 5 years.
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined per service category.

Full availability targets, RTO/RPO tables, and our business continuity and disaster recovery practices are documented in the Service Level Agreement.

Authentication & payments

Reactiv relies exclusively on Shopify for both merchant and shopper authentication, as well as checkout. We do not maintain our own merchant or shopper accounts or credentials, and we never collect, store, or process payment card data — that remains entirely within Shopify's platform. This is a deliberate design choice that minimizes the sensitive data Reactiv handles and keeps payment processing on Shopify, which is certified PCI DSS Level 1, the highest tier of payment-card security certification.

Encryption

Data is encrypted both in transit and at rest. Data in transit is protected with TLS 1.2 or higher, and data at rest is encrypted using AES-256.

Access controls

Access to production systems and customer data is restricted to authorized personnel on a need-to-know basis, following the principle of least privilege:

Single sign-on (SSO) is used for access to internal tools and cloud infrastructure.
Multi-factor authentication (MFA) is enforced on critical systems.
Access is granted using role-based access controls (RBAC) and scoped to what each role requires.
Access is reviewed periodically, and access is revoked promptly when personnel leave or change roles.

Data segregation

Reactiv is a multi-tenant platform that uses a combination of database-per-tenant isolation and logical separation to keep each merchant's data segregated. Certain tenant data is partitioned into dedicated databases, and access is further scoped to the owning merchant by store ID at the application layer, so one merchant cannot access another merchant's data. This store ID scoping is enforced consistently across our data stores, including application databases, analytics, and our data warehouse. Shopper-facing data is scoped to the store the shopper is interacting with.

Data retention & deletion

Customer data is retained for the duration of the customer relationship. On termination, Reactiv returns or deletes (or irreversibly anonymizes) customer personal data, except where retention is required by applicable law. The full terms are set out in our Data Processing Addendum, and our data practices are described in our Privacy Policy.

Logging & monitoring

Reactiv uses dedicated tooling for error and event logging to detect and diagnose issues:

Amazon CloudWatch for event logging
LogRocket for event logging
Sentry for error logging

These and all other third-party services are listed in our Sub-processors page.

Incident response

Incidents are triaged by our Customer Success team and managed internally using Rootly. Engineering maintains on-call rotations to respond around the clock, and incidents are prioritized by severity — critical (Sev1) incidents are acknowledged within one hour, 24/7. Customers are kept informed through the Reactiv Status Page — where they can subscribe for incident updates — and direct channels. Detailed severity classifications and response targets are defined in the Service Level Agreement.

In the event of a personal data breach affecting customer data, Reactiv will notify affected customers without undue delay upon discovery, as set out in our Data Processing Addendum.

AI & sub-processors

Reactiv's AI features use large language model inference provided by Anthropic via AWS Bedrock, hosted in the United States. We rely on a set of vetted third-party sub-processors to deliver the service; the complete, current list — including each provider's purpose and location — is published on our Sub-processors page.

Compliance

Reactiv does not currently hold a SOC 2, ISO 27001, or other third-party security certification, and makes no certification claims.

Reporting a vulnerability

If you believe you have found a security vulnerability in Reactiv, please contact us at support@reactiv.ai.

Was this page helpful?

Hosting & infrastructure​

Availability & resilience​

Authentication & payments​

Encryption​

Access controls​

Data segregation​

Data retention & deletion​

Logging & monitoring​

Incident response​

AI & sub-processors​

Compliance​

Reporting a vulnerability​