Trust & security
Security is the
product, not a feature.
We're a GRC platform. If we can't protect your compliance data, we have no business asking you to trust us with it. Here's exactly how we keep it safe.
Encryption in transit
All data transmitted between your browser and our platform is encrypted using TLS 1.2 or higher. We enforce HTTPS across every endpoint โ unencrypted connections are rejected.
Encryption at rest
Customer data is encrypted at rest using AES-256. This includes risk records, controls, and all files stored in your Evidence Locker. Encryption keys are managed separately from the data they protect.
SHA-256 evidence integrity
Every file uploaded to the Evidence Locker receives a SHA-256 hash on ingestion. We store this fingerprint alongside the file and verify it on every retrieval. Any tampering โ including by us โ is immediately detectable.
Access control
RiskGuard uses role-based access control (RBAC). Users only see and interact with the data their role permits. External auditors receive time-limited, scoped tokens โ they cannot access anything beyond what you explicitly grant them.
Infrastructure
The platform runs on Vercel's edge infrastructure with data stored in the UK and European Economic Area. We do not use data centres outside the UK/EEA for customer data. Our infrastructure provider maintains ISO 27001 certification.
Authentication
Passwords are hashed using bcrypt with a work factor appropriate to current hardware. We support multi-factor authentication (MFA) and enforce minimum password complexity. Session tokens are short-lived and invalidated on logout.
Availability
Target uptime commitment. Your compliance posture shouldn't depend on whether our servers are having a bad day. We monitor platform health 24/7 and publish incidents transparently.
Common questions
Security FAQ
Do you have a bug bounty programme?
Not formally โ but we take all responsible disclosures seriously and will acknowledge researchers who report valid vulnerabilities. Email security@riskguardhq.com.
Where is customer data stored?
All customer data is stored in the United Kingdom and European Economic Area. We do not transfer data outside these regions without explicit agreement.
Can RiskGuard employees access my data?
Access to customer data by RiskGuard staff is strictly limited, logged, and requires a documented business reason. We do not access customer compliance data for any purpose other than delivering and supporting the service.
How do I report a security issue?
Email security@riskguardhq.com. Please include a description of the issue, steps to reproduce it, and the potential impact. We will acknowledge your report within 48 hours.
Responsible disclosure
Found a vulnerability? Please report it privately before disclosure. We commit to acknowledging all reports within 48 hours and resolving confirmed issues promptly.
Ready to get
audit-ready?
Book a 30-minute demo and see how RiskGuard can get your startup compliant โ without the consultant fees.