REAGAN INDUSTRIES Logo
REAGAN INDUSTRIES

Trust Center

Security, Privacy &Sovereign Governance

We design for security by default, validate every input server-side, and keep all claims grounded in what is currently implemented. This page documents our actual security architecture, not aspirational statements.

Security Architecture

  • Defense-in-depth strategy across all application layers
  • Strict Content Security Policy (CSP) enforced on every response
  • HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff
  • Rate limiting on authentication, Oracle, intake, and QLaaS endpoints
  • Input validation (Zod) on all API request bodies
  • Error abstraction — no raw stack traces exposed to clients

Identity & Access Management

  • Role-based access control (RBAC) enforced server-side on all admin operations
  • NextAuth.js v5 with Google OAuth and email magic link providers
  • Session tokens stored as HttpOnly, SameSite cookies
  • Admin routes protected at middleware and page levels
  • Session metadata tracking (user-agent, IP) for anomaly detection
  • Phone verification enforced for account-creating actions

BYO AWS Transparency (QLaaS)

  • Quantum compute costs billed directly in the customer's AWS account — zero markup
  • Cross-account access uses STS AssumeRole with unique ExternalId per connection
  • No long-lived AWS keys stored by Reagan Industries
  • IAM conditions enforce tag scoping (RIUserId, RIConnectionId)
  • S3 prefix isolation per user for results storage
  • CloudFormation role revocable at any time by deleting the stack
  • All AssumeRole attempts are audit-logged with actor metadata

Encryption Standards

  • All data in transit encrypted via TLS 1.3
  • Database connections encrypted with SSL
  • Password hashing via bcrypt with configurable work factor
  • Sensitive fields encrypted at rest in the database
  • API keys and secrets managed via environment variables — never hardcoded
  • Session tokens are cryptographically random and rotated on privilege change

Audit Logging

  • All sensitive operations are audit-logged with actor metadata
  • Audit entries include: action, entity type/ID, actor ID, timestamp, and IP
  • Admin actions (role changes, intake management, user operations) are always logged
  • QLaaS operations (job submission, role verification, artifact generation) are logged
  • Oracle interactions are session-tracked with anonymized logging
  • Audit logs are indexed for efficient querying and reporting

Data Retention & Handling

  • We store only data required to deliver requested services
  • Intake submissions are tracked with workflow states and timestamps
  • Session and device metadata are used for account protection only
  • Profile avatar uploads are image-only and size-limited
  • Intake exports generated through background jobs with retry handling
  • Data deletion requests honored within published retention windows

Governance Statement

  • Reagan Industries operates as a Registered Tech Company
  • All technical decisions are founder-directed and mission-aligned
  • No external investors or boards influence security or architecture decisions
  • We do not introduce unnecessary SaaS dependencies
  • We do not weaken IAM strictness for convenience
  • Every system is architected, not improvised — zero technical debt tolerance

Founder-Led Integrity

  • Founded by Reagan Onen — every system embodies the founding vision
  • Founder-originated but multi-generational — built to outlast trends
  • Independent, self-governing, and not shaped by hype or external pressure
  • Institutional rather than personal — built for future teams and leaders
  • Technology sovereignty anchored by discipline, precision, and vision
  • Built from Uganda with global ambition and generational intent

Responsible AI (Oracle)

Oracle responses are grounded in internal knowledge documents
Unsafe or adversarial requests are declined with safer alternatives
Public users are limited to public knowledge scopes
Model provider selection is deterministic and logged
Prompt injection defenses are active on all Oracle endpoints
Oracle provides strategic guidance, not binding technical or legal advice

External Privacy Policy

Full privacy policy and terms of service available in our legal documents.

View Legal Documents

Questions about security or privacy?

Ask Oracle for details on our security controls, compliance posture, or data handling practices.

For security vulnerability reports or data subject requests, contact us through /contact.