Security.
RiskLabs is built around the same principles we ask our customers to follow.
Posture
Our security program is aligned to ISO 27001 and references industry best practices across access control, encryption, monitoring, change management, and incident response.
We are not yet ISO 27001 certified. Certification work is in progress, and we'll update this page when it lands. We are also tracking SOC 2 Type II as a follow-on. We'd rather say what's true today than imply credentials we don't have.
Encryption
- At rest: customer data is encrypted at rest using provider-managed keys on managed database and object-storage services.
- In transit: all customer-facing endpoints enforce TLS 1.2 or newer (TLS 1.3 negotiated where supported). HTTPS-only is enforced at the edge.
- Backups: continuous database backups with point-in-time restore. Restore procedures are tested.
Identity & access
- Customer identity is delegated to an established managed identity provider. Multi-factor authentication is supported; we recommend it for all customer accounts.
- Inside the app: role-based access control scoped per organisation. Audit log captures sign-ins, configuration changes, and exports.
- Internal access: least-privilege identity and access management across our cloud providers. Deploy automation uses tightly scoped service accounts limited to the specific resources required for that deploy.
- Tenant isolation: customer data partitioned by organisation at the database partition-key level; cross-tenant access is denied at the data layer, not just the application layer.
Monitoring & ops
- Application observability: exceptions, request latencies, dependency tracing, and frontend-backend correlation are captured by an application performance monitoring platform.
- Infrastructure: cloud-provider audit-log and metric services capture API activity and operational signals across our environments.
- Anomaly review: logs are reviewed for unusual sign-in patterns and unusual data-access patterns.
- Change management: production deploys are manual, gated, and logged through a version-controlled CI pipeline. Infrastructure changes are tracked as infrastructure-as-code committed to source control and reviewed before they apply.
Sub-processors
We use a small number of trusted sub-processors. The full list with regions lives in our privacy policy.
Vulnerability disclosure
Found a vulnerability or a security concern? Email hello@risklabs.io with a description and reproduction steps. We will:
- Acknowledge receipt within 2 business days.
- Investigate, fix, and disclose responsibly.
- Credit researchers who report in good faith and follow standard responsible-disclosure practices, where they would like to be credited.
Please don't disclose publicly before we've had a chance to fix. We'll work with you on coordinated timing.