Your documents stay yours.
RiskRemedy is built with the security requirements of commercial insurance professionals in mind. This page describes how we handle your data, the controls we have in place, and what documentation we make available to procurement teams.
The short version
How we handle your data
Every document transmitted to and stored within RiskRemedy is encrypted in transit (TLS 1.2+) and at rest (AES-256). Object storage runs in AWS S3 with server-side encryption; our application database runs in MongoDB Atlas with encryption at rest enabled.
Your documents, analyses, and reports are never commingled with any other company's data. Tenant access is validated on every authenticated request, and customer data is logically segregated and accessed only through tenant-scoped queries.
Your documents are never used to train, fine-tune, or improve any model, ours or anyone else's. We use Anthropic and Google as our large language model providers; under their current standard API terms, customer-submitted data on paid API usage is not used to train their models.
User accounts are scoped to a single tenant (or, for admins, an explicit list of tenants). Roles control what each user can see and do. User-level audit logs are available to administrators.
All S3 buckets have public access blocks enabled at four levels (ACLs and policies, both new and existing). The only way to retrieve a document is through an authenticated, short-lived presigned URL issued by our backend.
Who else touches your data
We use the following sub-processors to operate the platform. Each operates under written agreements that restrict their use of customer data to providing services to us. We will provide reasonable advance notice on this page before adding new sub-processors that process customer data.
| Provider | Purpose |
|---|---|
| Amazon Web Services | Compute (ECS), object storage (S3), email delivery (SES), identity (Cognito) |
| MongoDB Atlas | Primary application database |
| Anthropic | Large language model API |
| Google (Gemini API) | Large language model API |
| LangSmith | LLM pipeline observability and tracing |
Authentication, sessions, and internal access
RiskRemedy uses AWS Cognito for identity. User accounts are created by tenant administrators; there is no public self-signup for the dashboard. TOTP-based multi-factor authentication is available to all users.
Access and ID tokens are short-lived, and refresh tokens expire daily, requiring regular re-authentication.
Production access is restricted to a minimal set of engineering staff under least-privilege IAM roles. We do not access customer documents except as needed to investigate a specific support request, security incident, or as required by law.
Reporting and disclosure
Please report it to security@riskremedy.io. We commit to acknowledging reports within two business days and will not pursue legal action against researchers acting in good faith.
In the event of a confirmed security incident affecting your data, we will notify the relevant tenant administrators without undue delay, consistent with applicable law and the terms of your customer agreement. Our incident response process covers identification, containment, eradication, recovery, and post-incident review.
Certifications and posture
SOC 2 Type I is in progress. We're happy to share our auditor, scope, and target completion date under NDA — reach out via the procurement form below.
When processing customer data on behalf of a customer, RiskRemedy acts as a processor under GDPR and a service provider under CCPA. A Data Processing Addendum (DPA) is available on request.
Need documentation for procurement?
We make the following available on request, under NDA where appropriate: Data Processing Addendum (DPA), sub-processor list with change history, and a completed security questionnaire (SIG-Lite / CAIQ-Lite).
Request documentationLast updated: May 26, 2026