Security at Remedy

Security is foundational to everything we build at Remedy. As a platform trusted by compliance and risk professionals to manage sensitive enterprise data, we apply rigorous technical and organizational controls across our infrastructure, application, and operations layers.

Infrastructure Security

Cloud Infrastructure

• Hosted on Supabase (PostgreSQL) with enterprise-grade availability and redundancy.
• Data centers are SOC 2 Type II and ISO 27001 certified.
• Geographic data residency options available for enterprise customers.
• Automated daily backups with point-in-time recovery up to 30 days.
• Disaster recovery with RPO < 1 hour and RTO < 4 hours.

Network Security

• All data transmitted over TLS 1.3 with strong cipher suites.
• Web Application Firewall (WAF) protecting all public endpoints.
• DDoS protection and rate limiting on all APIs.
• Network segmentation between production, staging, and development environments.
• VPN-gated access to all internal management interfaces.

Application Security

Data Protection

• Encryption at rest: All data encrypted with AES-256.
• Encryption in transit: TLS 1.3 enforced on all connections.
• SHA-256 evidence hashing: All audit evidence is cryptographically hashed for tamper detection.
• Key management: Encryption keys managed with rotation policies.

Access Control

• Row-Level Security (RLS): Enforced at the database layer — each tenant's data is completely isolated, even within a shared infrastructure environment.
• Role-based access control (RBAC): Granular permissions across all 18 modules.
• Multi-factor authentication (MFA): Required for all administrative access.
• SSO integration: SAML 2.0 and OIDC support for enterprise identity providers.
• Session management: Automatic timeout and token rotation.

Secure Development

• Security requirements integrated into the software development lifecycle (SDLC).
• Automated static application security testing (SAST) in CI/CD pipelines.
• Dependency vulnerability scanning on every build.
• Annual third-party penetration testing with remediation tracking.
• Bug bounty program for responsible disclosure.

AI Security

Remedy's AI layer introduces additional security considerations that we take seriously:

• Data isolation: Customer data is never used to train external AI models.
• Prompt injection protection: Input sanitization and output validation on all AI agent interactions.
• Model access controls: LLM API calls are proxied through our secure RemedyLLM layer — API keys are never exposed client-side.
• Agent audit logging: Every AI agent action is logged in agent_run_logs with full input/output traceability.
• Rate limiting: Per-agent rate limits (up to 500 events/hour) prevent runaway automation.

Operational Security

• Background checks: All Remedy employees undergo background screening.
• Security training: Annual security awareness training for all staff.
• Least privilege: Employees access only the systems and data required for their role.
• Vendor management: All sub-processors are reviewed for security posture before engagement.
• Incident response: Documented IR plan with defined roles, escalation paths, and communication procedures.

Compliance Certifications

Enterprise customers may request our SOC 2 Type II report and ISO 27001 certificate under NDA through our Contact page.

Vulnerability Disclosure

If you discover a security vulnerability in the Remedy platform, please disclose it responsibly. Submit your findings through our Contact page marked "Security Vulnerability Report." We will acknowledge receipt within 48 hours and aim to remediate critical findings within 30 days. We do not pursue legal action against researchers who act in good faith.

Contact

RiskCognition Corporation — Security Team
Suite 301, 100 Enterprise Drive, Rockaway, NJ 07866 USA
Website: www.goremedy.ai