Security

Security at RALIA

Your data security is our priority. We implement enterprise-grade security measures to protect your compliance data and AI interactions.

POL-SEC-001 v2.0January 20266 min read

1. Our Security Commitment

At RisqBase, we understand that compliance data is sensitive. RALIA is built with security at its core, implementing multiple layers of protection to safeguard your information.

Defence in Depth

Multiple security layers protect your data

Least Privilege

Access limited to what's necessary

Encryption Everywhere

Data protected at rest and in transit

Continuous Monitoring

24/7 security monitoring and alerting

2. How We Protect Your Data

2.1 Encryption

All data is encrypted using industry-standard protocols:

ProtectionImplementation
Data in TransitTLS 1.3 for all connections
Data at RestAES-256 database encryption
API CommunicationsEncrypted API calls to all services
BackupsEncrypted backup storage

2.2 Access Controls

  • Multi-Factor Authentication (MFA)Available for all accounts; required for admin access
  • Role-Based Access Control (RBAC)Granular permissions based on user roles
  • Row-Level Security (RLS)Database-level isolation between organisations
  • Session ManagementAutomatic timeout; concurrent session limits

2.3 Data Isolation

Organisation Data Isolation: Each organisation's data is logically isolated using PostgreSQL Row-Level Security policies. Your data is never accessible to other customers.

3. Secure Infrastructure

3.1 Hosting & Architecture

RALIA is built on enterprise-grade infrastructure:

ProviderComponentSecurity
VercelApplication HostingSOC 2 Type II; edge network
SupabaseDatabaseSOC 2 Type II; EU region
AnthropicAI ProcessingSOC 2 Type II; no data retention
StripePaymentsPCI-DSS Level 1

3.2 Network Security

Web Application Firewall (WAF)

Protection against common attacks

DDoS Protection

Automatic mitigation of distributed attacks

Rate Limiting

Prevention of abuse and brute force attempts

Security Headers

CSP, HSTS, X-Frame-Options configured

4. AI-Specific Security

Your Data Is Never Used for Training

Your data is NEVER used to train AI models. AI providers retain data only during processing, with zero retention policies for API usage.

4.1 AI Data Handling

No Training

Your data never trains AI models

Session-Only

AI providers retain data only during processing

Minimum Data

Only necessary context sent to AI

Provider DPAs

Data Processing Agreements with all AI providers

4.2 AI Provider Security

Our AI providers (Anthropic, OpenAI) maintain:

  • SOC 2 Type II certification
  • EU Data Processing Agreements
  • Zero data retention policies for API usage
  • Enterprise-grade API security

5. Secure Development

5.1 Development Practices

  • Secure SDLCSecurity integrated throughout development
  • Code ReviewAll changes reviewed before deployment
  • Automated TestingSecurity tests in CI/CD pipeline
  • Dependency ScanningContinuous vulnerability monitoring

5.2 Vulnerability Management

Response times by severity:

SeverityResponse Time
Critical24 hours
High7 days
Medium30 days
Low90 days

5.3 OWASP Top 10

We actively mitigate OWASP Top 10 vulnerabilities:

  • Injection prevention via parameterised queries
  • Broken access control prevention via RLS
  • Cryptographic protection for all sensitive data
  • Security misconfiguration prevention via hardening

6. Compliance Framework

6.1 Security Certifications & Standards

FrameworkDescription
ISO 27001 ReadyEnterprise-grade security and data protection
ISO 42001 ReadyAI management systems and responsible AI governance
SOC 2 Type II ReadyService organisation customer data management

6.2 Data Processing

Data Controller:RisqBase d.o.o. (Croatia)
Primary Data Region:European Union
Sub-processors:Listed in Privacy Policy
DPAs Available:Enterprise customers

7. Security Incident Response

7.1 Our Commitment

We maintain a comprehensive incident response programme:

  • 24/7 MonitoringContinuous security monitoring
  • Rapid ResponseDefined escalation procedures
  • Transparent CommunicationTimely notification of incidents
  • Post-Incident ReviewContinuous improvement

7.2 Breach Notification

GDPR-Compliant Notification: In the event of a data breach:
  • • Supervisory authority notified within 72 hours (GDPR)
  • • Affected customers notified without undue delay
  • • Root cause analysis and remediation

8. Shared Responsibility

Security is a shared responsibility. We recommend:

Account Security

  • Enable Multi-Factor Authentication
  • Use strong, unique passwords
  • Review access permissions regularly
  • Log out on shared devices

Data Handling

  • Only input data you're authorised to process
  • Follow your organisation's data handling policies
  • Report any security concerns promptly

9. Report Security Issues

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

security@risqbase.com

We appreciate security researchers who:

  • Give us reasonable time to respond
  • Avoid accessing or modifying customer data
  • Do not publicly disclose before we've addressed the issue

General Security Questions:

support@risqbase.com

Enterprise Security Documentation

Enterprise customers may request our security questionnaire responses and compliance documentation.

Contact Sales

Related Pages

Privacy PolicyTerms of ServiceCookie PolicySecurityGovernanceResponsible AIResponsible Use