Security
Enterprise-Grade Security
Security built into every layer of the system. From encryption to access control to data deletion — designed for teams that need compliance-ready AI infrastructure.
TLS 1.3AES-256RBACGDPR/CCPA99.9% SLA
01
Security Infrastructure
🔒 Encryption in TransitTLS 1.3 for all connections. HTTPS enforced across all endpoints. No unencrypted data transfer.
🛡️ Encryption at RestAES-256 encryption for all sensitive data. Database storage encrypted at the volume level.
🚫 Zero Training PolicyYour prompts, questions, and documents are never used to train any model — ours or any third party’s. Ever.
👤 Data Isolation & RBACMulti-tenant architecture with org-scoped boundaries. Role-based access: Owner, Admin, Member. Data never leaks between organizations.
📋 Audit LoggingEvery action logged with timestamps, user context, and request metadata. 90-day default retention, configurable on Enterprise plans.
🗑️ Data DeletionDelete your data anytime — individual prompts, full history, or complete account. No minimum retention period. GDPR/CCPA compliant.
02
Hosting & Infrastructure
- Cloud provider. Hosted on Azure with isolated environments and region-level control.
- Data residency. Primary data stored in US regions. EU data residency available on Enterprise plans.
- Network isolation. Application and database layers run in isolated virtual networks with restricted ingress.
- Model subprocessors. AI providers act as subprocessors and do not retain prompts or responses beyond request execution.
- Backups. Encrypted backups with regular recovery testing. Point-in-time restore capability.
- Data retention. Customer data retained only for active accounts. Deleted upon request or account closure. No minimum retention period.
- Monitoring. Continuous infrastructure monitoring with anomaly detection and automated alerting across all production systems.
- Availability. 99.9% uptime SLA on Enterprise plans. Multi-region failover and automated recovery procedures.
03
Identity & Access Control
- RBAC. Organization-scoped roles: Owner, Admin, Member. Granular permission control per resource.
- API key management. Org-scoped API keys with rotation support and per-key usage tracking.
- SSO. Enterprise SSO (SAML/OIDC) available on Enterprise plans.
- MFA. Multi-factor authentication supported for all accounts.
04
Content Moderation
Every input is screened before processing. Content is checked against multiple harm categories, evaluated in severity order:
- Self-harm (highest priority)
- Violence
- Hate speech
- Illegal activity
- Sexual content
- Profanity
Legitimate medical and scientific terms are recognized and not blocked. Enterprise admins can define custom content policies for their organization.
05
Honesty About Uncertainty
Every prepared prompt includes field-specific safety instructions that guide the AI to acknowledge uncertainty rather than make things up:
- Medical prompts — evidence-based response requirements and professional consultation disclaimers.
- Legal prompts — jurisdictional caveats and limitations of AI-generated legal analysis.
- Financial prompts — investment disclaimers and risk acknowledgment language.
06
Incident Response
Documented incident response process with defined severity levels and response timelines. Breach notification within 72 hours as required by GDPR.
Full details available in our Data Breach Notification Policy.
07
Compliance Readiness
| Framework | Status | Details |
|---|
| GDPR | Ready | Data deletion, export, consent management, DPA available |
| CCPA | Ready | Right to delete, right to know, opt-out support |
| SOC 2 | Roadmap | Type II certification planned for 2026 |
Safety Before the AI Responds
Most AI governance focuses on filtering what the AI says after it responds. RioAsk adds safety before any AI model is asked — structured preparation with safety protections, field-specific policies, and quality checks provide a control point independent of whichever AI you use.
Security you can verify. Read our privacy policy, DPA, and our approach page for full details.
Read Privacy Policy →