Trust & Security
Security you can verify, not take on faith
RigSpec handles revenue, security, and compliance workflows for the businesses that run on it. Here is how we protect that data — grounded in what the platform actually does today.
Tenant isolation
Every record is scoped to one organization and enforced at the database boundary with row-level security, so one customer's data is never reachable from another's session.
Encryption & key vault
Data is encrypted in transit and at rest. Sensitive secrets and connector credentials are sealed in a key-managed vault rather than stored in plain application records.
Tamper-evident audit chain
Security-relevant actions are written to a hash-chained audit log. Each entry is linked to the one before it, so any after-the-fact edit or deletion is detectable.
Governed Ai actions
A deterministic policy engine runs before every Ai tool call. The model has no input into it and can never override it — money, security, and data-export actions are never autonomous.
Human-in-the-loop
High-impact actions require explicit human approval and run against a bounded action budget. Money and security actuators stay inert until a person signs off.
Consent ledger
Marketing and messaging consent is recorded with its source and timestamp, and honored on every send — opting out suppresses further messages of that type.
Data rights (GDPR / CCPA)
We support data-subject access and deletion. You can request a structured export of your data or its erasure, subject to records we must retain for legal and billing reasons.
Incident & recovery readiness
We maintain incident-response runbooks and a disaster-recovery plan, and Ai actions support rollback so an erroneous change can be reversed rather than left in place.
Where we are honest about the gaps
A trust page is only useful if it states what is not yet true.
- Certifications
- We do not currently advertise a SOC 2, ISO 27001, or HIPAA attestation. We will publish any formal certification here once it is complete — we would rather under-claim than mislead.
- Subprocessors
- Our current list of subprocessors (hosting, database, storage, payments, and email) is published in section 5 of our Privacy Policy.
- Service status
- Current operational status for each component is on the status page.
Report a vulnerability
Found a security issue? We want to hear about it. Email security@rigspec.ai or use our contact form. Our machine-readable contact details follow RFC 9116 (security.txt). Please give us a reasonable window to remediate before any public disclosure.
Reviewing RigSpec for your business? Read our Privacy Policy and Terms of Service.
Talk to us about security