Trust Center

Security & Compliance

Ridhics is built for institutional investors. We believe trust is earned through transparency — here is exactly where we stand on security, data handling, and compliance.

If your email app does not open, write to support@ridhics.com.

Security Controls

Current controls and customer-onboarding capabilities are labeled below so diligence teams can distinguish live safeguards from setup steps and planned roadmap items.

Authentication & Access Control

  • Google & LinkedIn OAuth 2.0Production
  • Enterprise SSO/SAML via WorkOS is implementation-ready; customer IdP connection is enabled during onboardingAvailable after customer setup
  • Role-based access control (Owner, Admin, Analyst, Viewer)Production
  • Session management with immediate revocationProduction
  • JWT tokens with SHA-256 hashed session bindingProduction

Multi-Tenancy & Data Isolation

  • Organization-scoped data model — auth, audit, and enterprise data paths tagged with org_idProduction
  • Application-level tenant filtering on protected data endpointsProduction
  • Database-level Row-Level Security across tenant tables (defense-in-depth)Production
  • Separate session tokens per user — no shared state across orgsProduction
  • Audit logs isolated per organizationProduction

Encryption

  • TLS 1.2+ enforced; TLS 1.3 supported (HTTPS only)Production
  • AWS RDS encryption at rest (AES-256)Production
  • JWT tokens signed with HS256Production
  • No sensitive data in URL parameters or browser historyProduction

Audit & Monitoring

  • Authenticated and security-relevant API requests audit logged: actor, route, result, durationProduction
  • Append-only audit logs — UPDATE/DELETE are not permitted by audit-table database policyProduction
  • Request-ID correlation on API requestsProduction
  • Admin dashboard for audit log reviewProduction
  • Structured request/audit loggingProduction

Data Handling & Privacy

How we handle your data, in plain language.

AI Model Providers (subprocessors that process client requests)

EVA uses commercial language models from OpenAI, Anthropic, Google, and Voyage AI to read filings, synthesize research, and generate analytical narrative. API calls originate from EVA’s backend servers — language models have no direct access to client accounts, databases, or stored documents. Ridhics does not use client content to train Ridhics-owned models, and uses provider/API paths documented by those providers as not training public models on submitted inputs or outputs, subject to provider terms and customer configuration.

Financial Data Sources (data we ingest; no client data flows to them)

EVA’s analytical engine ingests publicly available financial filings, market data, and macroeconomic series from established providers. These are upstream data feeds — customer confidential content is not sent to those market-data sources.

User Data

Ridhics stores only what is necessary: account identity (email, OAuth provider), organization membership, session metadata, and platform usage logs. Valuation work and analytical history are stored per-organization. We do not sell client data.

Data Residency

Ridhics-owned application infrastructure runs in AWS US-East-1 (Virginia). The application uses AWS RDS PostgreSQL and TigerData/TimescaleDB infrastructure in us-east-1, with RDS daily backups (7-day retention), point-in-time recovery, and encryption at rest. Third-party subprocessors process data under their own contractual and data-residency terms, as described in our subprocessor registry and DPA materials.

Analytical Integrity

Institutional buyers regularly ask how to trust an AI-powered research platform. EVA separates narrative evidence, structured XBRL facts, and deterministic valuation math so analysts can inspect the source trail behind an answer instead of relying on unsupported model assertions.

Text citations for narrative claims

For filing text, transcripts, news, and other narrative sources, EVA surfaces cited passages so analysts can inspect the evidence behind an answer. We continue to improve citation coverage and source ranking for free-text retrieval.

XBRL provenance for structured numbers

Structured financial facts trace to public SEC/XBRL filings with accession number, filing date, underlying concept, and source-fact context. Computed figures expose formulas and explicit inputs rather than appearing as free-form model text.

Valuation integrity and abstention

Fair values, margins, terminal values, sensitivities, and scenario outputs are computed by deterministic valuation engines with snapshotted inputs and calculation versions. When EVA cannot credibly value a company, it can return “Under Review” with a structured reason instead of forcing a number.

For institutional diligence, detailed methodology documentation, our analytical-integrity brief, and platform comparison materials are available to qualified prospects on request. Contact support@ridhics.com.

Compliance Roadmap

Transparent about where we are and where we’re headed.

Q1-Q2 2026

Completed
  • Enterprise authentication (OAuth + SSO-ready)
  • RBAC with four-tier role model
  • Audit logging on authenticated and security-relevant API endpoints
  • Application-level multi-tenant data isolation (organization-scoped)
  • Session management with revocation
  • Encryption in transit (TLS 1.2+; TLS 1.3 supported) and at rest (AES-256)
  • Formal security policy framework covering information security, access control, data classification, data retention, change management, incident response, vendor management, and acceptable use — details available to qualified prospects on request

Q3-Q4 2026

In Progress
  • SOC 2 Type I evidence collection
  • Vendor Risk Questionnaire (VRQ) response bank
  • WorkOS SSO implementation-ready; customer IdP setup during onboarding

Q1 2027

Planned
  • SOC 2 Type I audit engagement
  • Third-party penetration testing
  • Formal incident response plan + tabletop exercise
  • Data Processing Agreement (DPA) template
  • Annual security awareness training
  • Automated vulnerability scanning in CI/CD

Infrastructure Architecture

Compute

AWS EC2 behind CloudFront CDN with automatic TLS certificate management. Next.js frontend served as static assets. Python/FastAPI backend with async processing.

Database

AWS RDS PostgreSQL and TigerData/TimescaleDB infrastructure in us-east-1. RDS is encrypted at rest with automated daily backups, 7-day retention, and point-in-time recovery. Separate schemas support application data, auth, analytics, XBRL facts, and retrieval indexes.

AI/ML Pipeline

LLM APIs (OpenAI, Anthropic, Google) accessed through EVA backend services. Ridhics does not use client content to train Ridhics-owned models; provider/API paths are selected for no-public-model-training commitments, subject to provider terms and customer configuration. Voyage AI supports embeddings.

Data Pipeline

Public financial filings and structured financial data are ingested from established providers, parsed, and validated against as-filed values. News and market data are sourced from established financial data providers.

Frequently Asked Questions

Does Ridhics use my data to train AI models?

Ridhics does not use client content to train any Ridhics-owned model. EVA uses third-party provider/API paths documented by those providers as not training public models on submitted inputs or outputs, subject to provider terms and customer configuration.

Can other organizations see my valuations or reports?

No. Organization-scoped records are tagged with your organization ID, and application-level filtering plus PostgreSQL Row-Level Security enforce isolation for protected tenant data.

Do you support SSO/SAML for enterprise login?

Enterprise SSO/SAML via WorkOS is implementation-ready and can be enabled during pilot onboarding after customer identity-provider setup.

Where is my data stored?

Ridhics-owned application infrastructure is hosted in AWS US-East-1 (Virginia) on encrypted RDS PostgreSQL, EC2 behind CloudFront, and TigerData/TimescaleDB infrastructure in us-east-1. Third-party subprocessors process data under their own contractual and data-residency terms.

Are you SOC 2 certified?

Not yet. We are actively building toward SOC 2 Type I with a target audit engagement in Q1 2027. Our current security controls are designed to meet SOC 2 requirements.

Can I get a Vendor Risk Questionnaire (VRQ) completed?

Yes. Contact support@ridhics.com with your VRQ or security questionnaire and we typically complete it within 5 business days.

Need More Detail?

Ridhics maintains a detailed materials pack for institutional prospects in active diligence. Items available on request to qualified prospects include:

  • • Full methodology and analytical-integrity documentation
  • • Security policy documents (8 areas covering the formal framework)
  • • Vendor Risk Questionnaire pre-filled response bank
  • • LLM data handling specification
  • • SOC 2 Type I readiness roadmap (target: Q1 2027)
  • • Sample reports and platform demo access

Typical response targets: VRQ submissions within 5 business days where feasible. Security review or methodology deep-dive requests are usually scheduled within 1 business day.

Send VRQRequest Security Review

If your email app does not open, write to support@ridhics.com.