Trust Center

Security & Compliance

Ridhics is built for institutional investors. We believe trust is earned through transparency — here is exactly where we stand on security, data handling, and compliance.

Contact Security Team

Security Controls in Production

These controls are live today — not roadmap items. Every Ridhics deployment includes these from day one.

Authentication & Access Control

  • Google & LinkedIn OAuth 2.0 (PKCE)
  • Enterprise SSO/SAML via WorkOS (available on request)
  • Role-based access control (Owner, Admin, Analyst, Viewer)
  • Session management with immediate revocation
  • JWT tokens with SHA-256 hashed session binding

Multi-Tenancy & Data Isolation

  • Organization-scoped data model — auth, audit, and enterprise data paths tagged with org_id
  • Application-level tenant filtering on protected data endpoints
  • Row-Level Security (RLS) on PostgreSQL audit logs, expanding to additional tables
  • Separate session tokens per user — no shared state across orgs
  • Audit logs isolated per organization

Encryption

  • TLS 1.3 enforced for all traffic (HTTPS only)
  • AWS RDS encryption at rest (AES-256)
  • JWT tokens signed with HS256
  • No sensitive data in URL parameters or browser history

Audit & Monitoring

  • Every API request logged: who, what, when, result, duration
  • Append-only audit logs — UPDATE/DELETE blocked by database-level policy
  • Request ID tracing across services
  • Admin dashboard for audit log review
  • Structured logging with AWS CloudWatch integration

Data Handling & Privacy

How we handle your data, in plain language.

LLM Interactions

Ridhics uses OpenAI, Anthropic, and Google Gemini APIs for analysis. All LLM calls use API keys — no user data is used for model training. We use zero-retention API configurations where available.

Financial Data Sources

SEC EDGAR filings (10-K, 10-Q, 8-K) are sourced directly from the SEC and stored in our own database. Market data comes from established providers. All data is as-filed — never estimated or fabricated.

User Data

We store only what is necessary: email, OAuth provider, organization membership, and session metadata. We do not sell user data. Valuation memory (prior DCF runs, assumptions) is stored per-org for analytical continuity.

Data Residency

All infrastructure runs on AWS US-East-1 (Virginia). Database: AWS RDS PostgreSQL. Application: EC2 behind CloudFront CDN. No data replication outside the US.

Compliance Roadmap

Transparent about where we are and where we’re headed.

Q1 2026

Completed
  • Enterprise authentication (OAuth + SSO-ready)
  • RBAC with four-tier role model
  • Audit logging on all API endpoints
  • Multi-tenant data isolation (app + RLS)
  • Session management with revocation
  • Encryption in transit (TLS 1.3) and at rest (AES-256)

Q2 2026

In Progress
  • SOC 2 Type I evidence collection
  • Formal security policies (8-10 documents)
  • Vendor Risk Questionnaire (VRQ) response bank
  • Penetration testing (third-party)
  • WorkOS SSO integration for enterprise customers

Q3-Q4 2026

Planned
  • SOC 2 Type I audit engagement
  • Formal incident response plan + tabletop exercise
  • Data Processing Agreement (DPA) template
  • Annual security awareness training
  • Automated vulnerability scanning in CI/CD

Infrastructure Architecture

Compute

AWS EC2 behind CloudFront CDN with automatic TLS certificate management. Next.js frontend served as static assets. Python/FastAPI backend with async processing.

Database

AWS RDS PostgreSQL with encryption at rest. Automated daily backups with 7-day retention and point-in-time recovery. Separate schemas for application data, auth, and analytics.

AI/ML Pipeline

LLM APIs (OpenAI, Anthropic, Google) accessed via API keys with zero-retention settings. Voyage AI for embeddings. No user data used for training. All API calls logged and auditable.

Data Pipeline

SEC EDGAR filings fetched directly from SEC servers. XBRL financial data parsed and validated against as-filed values. News and market data from established financial data providers.

Frequently Asked Questions

Does Ridhics use my data to train AI models?

No. We use LLM provider APIs (OpenAI, Anthropic, Google) via API keys with zero-retention settings. Your data is never used for model training.

Can other organizations see my valuations or reports?

No. Every piece of data is tagged with your organization ID. Application-level filtering and PostgreSQL Row-Level Security ensure complete isolation.

Do you support SSO/SAML for enterprise login?

Yes. We integrate with WorkOS for enterprise SSO/SAML. Contact us to set up your identity provider connection.

Where is my data stored?

All data resides in AWS US-East-1 (Virginia) on encrypted RDS PostgreSQL instances. Application servers run on EC2 behind CloudFront CDN.

Are you SOC 2 certified?

Not yet. We are actively building toward SOC 2 Type I with a target audit engagement in Q3-Q4 2026. Our current security controls are designed to meet SOC 2 requirements.

Can I get a Vendor Risk Questionnaire (VRQ) completed?

Yes. Contact ram@ridhics.com with your VRQ or security questionnaire and we will complete it within 5 business days.

Need More Detail?

We welcome security reviews, penetration testing coordination, and vendor risk questionnaires. Reach out and we’ll get back to you within one business day.

Send VRQRequest Security Review