RiskWiseSign In

Security Overview

Last updated: April 21, 2026

Security is foundational to RiskWise. This page describes the measures we take to protect the platform and your data. This is a trust and transparency document, not a legal agreement.

Infrastructure

RiskWise is built on enterprise-grade cloud infrastructure:

  • Vercel: Application hosting with automatic HTTPS, DDoS protection, and global edge network (SOC 2 Type II)
  • Supabase: PostgreSQL database with automated backups, point-in-time recovery, and encrypted storage (SOC 2 Type II)
  • Cloudflare: DNS management and email routing with DDoS mitigation (SOC 2 Type II, ISO 27001)

Application Security

We implement multiple layers of application-level security:

  • Content Security Policy (CSP): Strict CSP headers to prevent XSS and code injection attacks
  • HTTP Strict Transport Security (HSTS): Enforces HTTPS connections
  • Row-Level Security (RLS): Database-level access controls ensure users can only access their own data
  • Rate limiting: API endpoints are protected by Upstash Redis rate limiting to prevent abuse
  • Input validation: All user inputs are validated and sanitized, including file upload magic byte verification
  • CORS protection: Cross-origin request controls on all API routes

Authentication

Authentication is managed by Supabase Auth, which provides:

  • Secure password hashing (handled by Supabase Auth infrastructure)
  • Email verification for new accounts
  • Secure session management with HTTP-only cookies
  • Password reset via verified email

Data Protection

  • Encryption in transit: All data is transmitted over TLS 1.2 or higher
  • Encryption at rest: Database and file storage use AES-256 encryption
  • Access control: Row-level security policies on all database tables restrict data access to authorized users only
  • Backup and recovery: Automated daily database backups with point-in-time recovery capabilities

Payment Security

All payment processing is handled by Stripe, which is certified as a PCI DSS Level 1 Service Provider — the highest level of certification in the payments industry. RiskWise does not store, process, or have access to full credit card numbers. Payment details are entered directly into Stripe's secure elements.

AI Data Handling

Documents processed by our AI features are sent to third-party AI providers (Anthropic for analysis, OpenAI for embeddings only) via their secure APIs:

  • Data is transmitted over encrypted connections (TLS)
  • Neither Anthropic nor OpenAI use API-submitted data to train their models
  • Document content is sent only as needed to generate analysis or embeddings
  • AI providers are bound by their respective data processing agreements

Error Monitoring

We use Sentry for error monitoring and performance tracking. Sentry collects error logs, stack traces, and browser metadata to help us identify and fix issues quickly. Sentry is SOC 2 Type II certified.

Backup & Recovery

Our database infrastructure (Supabase) provides automated daily backups with point-in-time recovery. In the event of data loss or corruption, we can restore data to any point within the backup retention window. Backups are encrypted at rest and stored separately from production data.

Incident Response

In the event of a security incident, we follow a structured response process:

  • Detection: Continuous monitoring via error tracking, logging, and alerting
  • Assessment: Evaluate scope, impact, and affected users
  • Containment: Isolate affected systems and prevent further exposure
  • Notification: Notify affected users and authorities as required by applicable law (within 72 hours where required)
  • Remediation: Fix the root cause and implement preventive measures
  • Post-incident review: Document lessons learned and update procedures

Responsible Disclosure

If you discover a security vulnerability in the RiskWise platform, we encourage you to report it responsibly. Please email Hello@GetRiskWise.com with the subject line "Security Vulnerability Report" and include:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your suggested fix (if any)

We ask that you give us reasonable time to address the issue before any public disclosure. We do not currently operate a formal bug bounty program, but we appreciate and acknowledge responsible security research.

Questions?

If you have questions about our security practices, contact us at Hello@GetRiskWise.com. For our complete list of third-party service providers, see our Subprocessors page.

Legal HubTerms of ServicePrivacy PolicySubprocessors