1. Purpose
This policy describes how RiroTech LLC ("RioAsk", "we", "us") identifies, manages, and communicates data security incidents that may affect the personal data of our users. We are committed to transparency and timely notification in the event of a confirmed breach.
2. Scope
This policy applies to all personal data processed by RioAsk, including account information, usage data, uploaded documents, and payment metadata. It covers incidents involving unauthorized access, disclosure, alteration, or destruction of personal data.
3. Incident Classification
We classify security events into three severity levels:
| Severity | Definition | Example |
|---|
| Low | Security event with no confirmed data exposure | Failed brute-force attempts blocked by rate limiting |
| Medium | Potential exposure limited in scope or data sensitivity | Unauthorized access to non-sensitive metadata |
| High | Confirmed unauthorized access to personal data | Exposure of account details, documents, or prompt history |
4. Detection & Investigation
RioAsk employs multiple layers of monitoring to detect potential security incidents:
- Audit logging — all authentication events, data access, and administrative actions are recorded with timestamps and IP addresses
- Application monitoring — Azure Application Insights tracks anomalous request patterns and error rates
- Rate limiting & IP blocking — automated abuse detection with configurable thresholds
- Content moderation — AI-powered screening of submitted content for harmful material
When a potential incident is detected, our security team initiates an investigation to determine scope, affected data, root cause, and severity.
5. Notification Commitment
In the event of a confirmed data breach that affects your personal data, we commit to:
- 72-hour notification — we will notify affected users via email within 72 hours of confirming a breach, consistent with GDPR Article 33 timelines
- Regulatory notification — we will notify relevant data protection authorities as required by applicable law
- Ongoing updates — we will provide follow-up communications as the investigation progresses and remediation is completed
6. Notification Contents
Our breach notification will include:
- A description of the nature of the breach
- The categories and approximate volume of data affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
- Recommendations for affected users (e.g., password reset, monitoring)
- Contact information for our security team
7. Containment & Remediation
Upon confirming a breach, we take immediate action to:
- Isolate affected systems to prevent further exposure
- Revoke compromised credentials or API keys
- Suspend affected accounts or organizations if necessary
- Preserve forensic evidence for investigation
- Deploy patches or configuration changes to address the vulnerability
- Conduct a post-incident review to prevent recurrence
8. Enterprise Customers
Enterprise and Teams customers with active subscriptions receive:
- Dedicated notification to the organization's designated security contact
- Detailed incident report available upon request
- Participation in post-incident review if applicable
Enterprise customers may request our full Incident Response Plan under NDA as part of their security review process.
9. Your Responsibilities
We encourage all users to support account security by:
- Using strong, unique passwords
- Enabling two-factor authentication when available
- Reporting suspicious activity to security@rioask.ai
- Keeping account contact information up to date
10. Contact
To report a security vulnerability or suspected breach, contact us at:
RiroTech LLC — Security Team
Email: security@rioask.ai
We acknowledge all security reports within 24 hours and aim to provide an initial assessment within 48 hours.