// Trust & Security Report
Reflect App LLC
Reflect Notes: a personal, end-to-end encrypted networked note-taking app (web, desktop, iOS) with an optional Reflect AI assistant (built on OpenAI GPT-4/Whisper). Single consumer/individual product line; no separate team or enterprise tier was found.
Certifications held
2
Maturity
Startup
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on reflect.app“"For the purpose of the GDPR, the Company is the Data Controller." ... "You have the right under this Privacy Policy, and by law if You are within the EU, to: Request access to Your Personal Data...Request correction...Object to processing...Request erasure...Request the transfer of Your Personal Data...Withdraw Your consent."”
Verify on reflect.app“"Reflect's commitment to security is further evidenced by its independent audits, such as those conducted by Doyensec. (Vendor blog post names Doyensec as an independent auditor of Reflect but publishes no specific findings; the previously stated detail that the audit found the system well architected with sound cryptographic primitives and no vulnerabilities or misconfigurations identified does not appear verbatim on any vendor page and is not credited.)"”
> Show 8 unconfirmed / not-held certifications
source: reflect.appNo public evidence. Reflect's privacy policy and dedicated security blog post describe end-to-end encryption and an independent cryptography audit by Doyensec, but neither page nor any other page on reflect.app mentions SOC 2.
source: reflect.appNo public evidence. Not mentioned on reflect.app/privacy, reflect.app/terms, or the reflect.app/blog/safe-notes-security-and-encryption security post.
source: reflect.appNo public evidence. Reflect is a consumer note-taking app; no BAA or HIPAA language appears anywhere on reflect.app.
source: reflect.appNo public evidence. Payment is handled by a third-party processor per the terms ("You grant us the right to provide the information to payment processing third parties"); no PCI DSS attestation is published by Reflect itself.
source: reflect.appNo public evidence on any reflect.app page.
source: reflect.appNo public evidence. Reflect AI is described as a feature ("Reflect uses GPT-4 and Whisper from OpenAI") with no AI-governance certification claim.
source: reflect.appNo public evidence on reflect.app. Note: a third-party site (Nudge Security's auto-generated "security profile") lists Reflect as "SOC 2 Compliant, ISO 27001 Compliant, HIPAA Compliant, FedRAMP Compliant, CSA Star Level 1 Compliant," but this is not a vendor-domain source, is not corroborated anywhere on reflect.app, and appears to be an unverified/auto-generated third-party claim -> disregarded per the no-fabrication rule.
source: reflect.appNo public evidence. Not applicable to a consumer note-taking product; not claimed anywhere on reflect.app.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Not specified. Privacy policy only states data "may be transferred to - and maintained on - computers located outside of Your state, province, country"; no specific region/country or hosting provider is disclosed on any reflect.app page found.
Reflect's own privacy policy states: "OpenAI and Anthropic may use prompts we send them as training data." This is a vendor-domain disclosure that user content routed through the Reflect AI assistant may be used for model training by Reflect's LLM subprocessors; no opt-out mechanism is described on the privacy policy or terms pages. This is a meaningful caveat compared to standard OpenAI/Anthropic commercial API terms (which typically exclude API traffic from training by default) and could not be independently reconciled -> flagged.
// Security controls
Encryption in transit/at rest
Client-side, end-to-end encryption using XChaCha20-Poly1305; notes are encrypted before leaving the device using a user-supplied password as the key (zero-knowledge architecture, per Reflect's description).
reflect.appIndependent audit
Cryptography/architecture audit referenced as conducted by Doyensec in Reflect's security blog post, which does not publish specific findings or a report. No audit report/letter was located; claim is vendor-asserted.
reflect.appAI subprocessors
Reflect AI features (writing assistant, transcription) are powered by OpenAI (GPT-4, Whisper); privacy policy also names Anthropic as a potential subprocessor for prompt processing.
reflect.appData recovery risk
Password loss results in permanent, unrecoverable loss of note access, a direct consequence of the zero-knowledge encryption design (no vendor-side key escrow).
reflect.app// Products & data scope
data: User notes, backlinks, calendar metadata (via Google Calendar/Outlook integration), web clips, Kindle highlights; end-to-end encrypted at rest on Reflect's servers.
Sole product line found. No distinct team/workspace or enterprise SKU was located on reflect.app; the product appears aimed at individual users.
data: Prompts and voice-note audio are sent to OpenAI (GPT-4, Whisper) and potentially Anthropic for processing; per the privacy policy this content may be used by those providers as training data.
Not a separately certified or isolated product; it is a feature layered on the core notes product, so its data-handling posture is governed by the same single privacy policy.
// What to watch
- No trust center: reflect.app has no dedicated /security or /trust page; security claims live only in a blog post and the privacy policy.
- AI training disclosure: privacy policy states OpenAI and Anthropic 'may use prompts we send them as training data,' with no described opt-out - notable for any customer routing sensitive notes through Reflect AI.
- Third-party over-claim risk: a third-party "security profile" site (Nudge Security) lists Reflect as SOC 2 / ISO 27001 / HIPAA / FedRAMP / CSA STAR compliant with no vendor-domain corroboration anywhere on reflect.app; this claim was NOT used to grade any cert and should not be trusted if encountered elsewhere.
- Small team (reported 3-4 employees, ~$3M seed, bootstrapped/profitable) - consistent with a startup that has not yet pursued formal compliance certifications; this is normal for its size/segment and should not be penalized, only disclosed.
- No DPA or data-processing-agreement page was found, which may matter for any B2B/team buyer despite the product being consumer-oriented today.
// At a glance
Pricing model
Subscription (individual plans); no public enterprise/team pricing tier was found (pricing page returned 404 at time of check).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Reflect App LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
reflect.app