Security at RISKCORE

1. Security Overview

At RISKCORE, security is not an afterthought—it's foundational to everything we build. We understand that our customers manage billions in assets and require the highest levels of data protection.

Our security program is built on three core principles:

• Defense in Depth: Multiple layers of security controls
• Least Privilege: Minimal access rights by default
• Transparency: Open-source core for full auditability

2. Compliance & Certifications

We are committed to achieving the highest security standards. Enterprise customers can request our current security documentation and compliance roadmap.

3. Data Encryption

Encryption at Rest

• All data encrypted using AES-256 encryption
• Database encryption with customer-specific keys (Enterprise)
• Encrypted backups stored in geographically distributed locations
• Secure key management using hardware security modules (HSM)

Encryption in Transit

• TLS 1.3 for all data transmission
• HSTS enabled with minimum 1-year max-age
• Certificate pinning available for mobile applications
• Perfect Forward Secrecy (PFS) enabled

4. Infrastructure Security

Our cloud infrastructure is hosted on leading providers with SOC 2 and ISO 27001 certifications:

• Network isolation using Virtual Private Clouds (VPC)
• Web Application Firewall (WAF) protection
• DDoS mitigation at network edge
• Regular vulnerability scanning and patching
• Immutable infrastructure with automated deployments
• Geographic redundancy with automatic failover

5. Access Control

User Access

• Role-based access control (RBAC) with granular permissions
• Multi-factor authentication (MFA) support
• SSO/SAML integration for Enterprise customers
• Session timeout and automatic logout
• IP allowlisting available

Internal Access

• Principle of least privilege for all employees
• Background checks for all team members
• Access reviews conducted quarterly
• All access logged and auditable
• No standing access to production data

6. Self-Hosted Option

Self-hosted benefits include:

• Data never leaves your network — Complete data sovereignty
• Your security controls — Integrate with existing security infrastructure
• Air-gapped deployments — Available for highly sensitive environments
• Custom retention policies — Full control over data lifecycle

7. Data Handling

Data Isolation

Each customer's data is logically isolated. We use separate database schemas and encryption keys to ensure complete data segregation between tenants.

Data Retention

• Customer-configurable retention policies
• Secure deletion upon request or account termination
• 30-day maximum for complete data purge

No Data Selling

We will never sell, share, or monetize your data. Your risk data is used solely to provide our services to you.

8. Monitoring & Incident Response

Continuous Monitoring

• 24/7 automated threat detection
• Real-time alerting on anomalous activity
• Comprehensive audit logging
• Log retention for 12+ months

Incident Response

• Documented incident response procedures
• Dedicated security response team
• Customer notification within 72 hours of confirmed breach
• Post-incident reviews and continuous improvement

9. Vendor Security

We carefully vet all third-party vendors and require:

• SOC 2 or equivalent certification
• Data Processing Agreements (DPAs)
• Regular security assessments
• Minimal data sharing principles

10. Security Contact

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.