Last updated: May 2026
This page describes the security practices and responsibilities at redu.cloud. We take a layered approach to protecting customer infrastructure and data. This page is not a certification claim — it describes our current security practices and how responsibilities are shared between redu.cloud and our customers.
To report a security issue, contact us at security@redu.cloud.
All connections to the redu.cloud dashboard, API, and control plane are protected using TLS. Plain HTTP connections are redirected to HTTPS. We do not support outdated protocol versions.
Connections between internal services within our infrastructure use encrypted channels where technically feasible.
Customer data stored on our platform, including volumes and backups, is stored on infrastructure hosted in Germany. Disk-level encryption practices depend on the underlying infrastructure configuration. Customers who require additional encryption should consider application-level encryption or encrypted volume configurations.
Access to the redu.cloud platform is managed through our authentication provider, Keycloak. We apply the principle of least privilege:
Customer compute instances, networks, and storage volumes are logically isolated from other customers using OpenStack project isolation. Each customer receives a dedicated private network and project-scoped credentials. Compute instances do not share tenant resources.
We maintain audit logs of significant account and platform actions including instance creation, deletion, snapshot operations, and network changes. These logs are used for security review, debugging, and incident investigation.
We monitor platform availability and service health using automated monitoring tools that alert our team when services are degraded.
redu.cloud provides snapshot and backup features that customers can use to protect their own data. Taking regular backups is the customer's responsibility. We do not automatically back up customer instance data unless a backup or snapshot is explicitly created. See our Portability and Data Handling page for more information.
We aim to apply security patches and updates to platform components on a timely basis. Critical infrastructure updates are prioritised. Customer operating system images and application software are the customer's responsibility to patch and maintain.
We operate monitoring systems that detect service disruptions and availability issues. When an incident is detected:
If you believe you have found a security vulnerability or suspect unauthorised access, please contact us immediately:
Please do not publicly disclose security issues before we have had a reasonable opportunity to investigate and respond.
Security is a shared responsibility between redu.cloud and our customers. We are responsible for the security of the underlying cloud platform, hardware, hypervisor, network infrastructure, and control plane. Customers are responsible for:
redu.cloud does not currently hold ISO 27001, SOC 2, or other formal security certifications. Our security practices are designed to support good security hygiene appropriate for a cloud infrastructure provider. We are reviewing certification roadmaps as the business scales and customer requirements evolve.
If your organisation has specific security assurance requirements, please contact us at office@redu.cloud to discuss.