Skip to main content

Trust & Security

Security you can verify, not take on faith

RigSpec handles revenue, security, and compliance workflows for the businesses that run on it. Here is how we protect that data — grounded in what the platform actually does today.

  • Tenant isolation

    Every record is scoped to one organization and enforced at the database boundary with row-level security, so one customer's data is never reachable from another's session.

  • Encryption & key vault

    Data is encrypted in transit and at rest. Sensitive secrets and connector credentials are sealed in a key-managed vault rather than stored in plain application records.

  • Tamper-evident audit chain

    Security-relevant actions are written to a hash-chained audit log. Each entry is linked to the one before it, so any after-the-fact edit or deletion is detectable.

  • Governed Ai actions

    A deterministic policy engine runs before every Ai tool call. The model has no input into it and can never override it — money, security, and data-export actions are never autonomous.

  • Human-in-the-loop

    High-impact actions require explicit human approval and run against a bounded action budget. Money and security actuators stay inert until a person signs off.

  • Consent ledger

    Marketing and messaging consent is recorded with its source and timestamp, and honored on every send — opting out suppresses further messages of that type.

  • Data rights (GDPR / CCPA)

    We support data-subject access and deletion. You can request a structured export of your data or its erasure, subject to records we must retain for legal and billing reasons.

  • Incident & recovery readiness

    We maintain incident-response runbooks and a disaster-recovery plan, and Ai actions support rollback so an erroneous change can be reversed rather than left in place.

Where we are honest about the gaps

A trust page is only useful if it states what is not yet true.

Certifications
We do not currently advertise a SOC 2, ISO 27001, or HIPAA attestation. We will publish any formal certification here once it is complete — we would rather under-claim than mislead.
Subprocessors
Our current list of subprocessors (hosting, database, storage, payments, and email) is published in section 5 of our Privacy Policy.
Service status
Current operational status for each component is on the status page.

Report a vulnerability

Found a security issue? We want to hear about it. Email security@rigspec.ai or use our contact form. Our machine-readable contact details follow RFC 9116 (security.txt). Please give us a reasonable window to remediate before any public disclosure.

Reviewing RigSpec for your business? Read our Privacy Policy and Terms of Service.

Talk to us about security