Security at Riposte
Riposte is engineered for regulated teams that expect uncompromising security. We operate as infrastructure software, never a downstream sub-processor—your data stays within your tenancy and only touches the mail servers you configure.
Your tenancy, your data
Riposte ships as infrastructure software—deployed in your environment, never operating as a downstream sub-processor.
Enterprise-grade data protection
Single-tenant deployment only exchanges traffic with the mail servers you approve, with encrypted transport, storage, and rigorous access governance.
Controls aligned to SOC 2
Policies, procedures, and evidence mapped to SOC 2 Type II criteria for rapid diligence without introducing new processors.
Built-in safeguards across the stack
Every Riposte deployment inherits layered controls so your team can meet regulatory, contractual, and customer commitments without handing data to an additional processor.
Identity & access management
Centralized SSO, enforced MFA, and automated onboarding/offboarding keep privileged systems locked down with no shared operator accounts.
- IdP-enforced MFA for all workforce access to production and admin tools.
- Role-based access provisioning with quarterly reviews and break-glass tracking.
- Service account secrets rotated through managed vaults and IaC—no Riposte-operated credentials in your environment.
Hardened infrastructure
Infrastructure-as-code baselines, automated patching, and continuous vulnerability scanning maintain a resilient perimeter inside your network.
- Golden AMIs and container images scanned before release with signed artifacts you control.
- Automated configuration drift detection across cloud resources.
- Nightly backups with quarterly restore testing for critical services.
Secure development lifecycle
Peer-reviewed code, dependency monitoring, and staged deployments reduce the chance of regressions reaching customers.
- Pull-request reviews required with automated testing gates in CI/CD.
- Static analysis and dependency scanning on each merge to main.
- Production changes traceable to tickets with documented approvals.
Operational excellence you can audit
Our control owners run recurring ceremonies and log evidence so you can verify safeguards are operating inside your tenancy all year long.
Monitoring & response
- Centralized log aggregation with alert routing to the on-call rotation—telemetry stays inside your tenancy.
- Documented incident response plan plus semi-annual tabletop exercises.
- Customer communications templated for rapid status updates during incidents.
Resilience & continuity
- Business impact analysis guides recovery objectives across hosted and self-managed services without transferring custody of customer content.
- Disaster recovery plan with failover runbooks reviewed and tested every six months.
- Backup and retention standards align to customer contractual commitments with encryption keys under your control.
People & third parties
- Background checks, security awareness training, and acceptable use acknowledgements for every employee.
- Vendor risk assessments ensure no analytics, marketing, or additional processors touch customer message data.
- Change-advisory board reviews for high-risk releases and production access requests.
Independent assurance & governance
Penetration testing, continuity exercises, and executive governance validate that Riposte delivers the platform without introducing extra data processors.
Quarterly risk & control reviews
Security steering committee documents quarterly reviews of the risk register, remediation milestones, and SOC 2 control alignment with updates reported to leadership.
Semi-annual
Third-party assessors execute infrastructure, application, and social engineering tests focused on the mail flow boundary, with tracked remediation and executive review.
Quarterly exercises
Tabletop scenarios, backup restores, and crisis communications rehearsals validate continuity without replicating customer data outside your tenancy.
Security documentation you can review
Our SOC 2 package includes the following policies, procedures, and templates. We share them under NDA so your security and legal teams can move quickly.
Governance & oversight
Exec-sponsored policies that define our security program, risk management cadence, and accountability.
- Information Security Policy Shared under mutual NDA
Sets the overarching control framework and executive governance model.
- Compliance Management Policy Shared under mutual NDA
Outlines compliance ownership, control monitoring, and reporting obligations.
- Risk Management Policy Summary available on this page
Describes quarterly risk reviews, scoring methodology, and mitigation tracking.
- Roles & Responsibilities Matrix Shared under mutual NDA
Maps leadership, engineering, and operations accountability across SOC 2 criteria.
Access & application security
Identity, change, and development controls that protect production environments and code.
- Access Control Policy Summary available on this page
Defines least privilege, provisioning workflows, and quarterly reviews.
- Secure SDLC Policy Shared under mutual NDA
Covers coding standards, peer review, automated testing, and release management.
- Change Management Policy Shared under mutual NDA
Specifies approval, testing, and emergency change guardrails for infrastructure and application updates.
- Access Review Procedure Template shared on request
Template and cadence for quarterly privileged access attestation.
Operations & detection
Monitoring, vulnerability management, and incident response runbooks that keep teams prepared.
- Security Monitoring & Logging Standard Summary available on this page
Specifies log sources, retention targets, and alert triage expectations.
- Vulnerability Management Policy Shared under mutual NDA
Establishes scanning cadence, severity SLAs, and remediation workflows.
- Incident Response Plan Table of contents shared on request
Roles, severity matrix, and tabletop schedule for coordinated incident handling.
- Incident Report Template Template shared on request
Structured evidence collection for internal post-incident reviews and customer updates.
Continuity, people, & vendors
Safeguards for resilience, workforce readiness, and the partner ecosystem supporting Riposte.
- Business Continuity & Disaster Recovery Plan Shared under mutual NDA
Defines impact tiers, RTO/RPO targets, and failover playbooks.
- Backup & Recovery Policy Summary available on this page
Documented backup scope, encryption requirements, and restoration testing cadence.
- Vendor Management Policy Shared under mutual NDA
Due diligence lifecycle, contract requirements, and ongoing monitoring expectations.
- Security Awareness & Training Policy Summary available on this page
Annual training requirements, phishing simulations, and disciplinary actions.
- Background Check Policy Shared under mutual NDA
Pre-employment screening standards for employees and contractors.
- Business Impact Analysis Worksheet Template shared on request
Template used to document process criticality and recovery requirements.
How to get in touch with our security team
Whether you need to complete a vendor assessment, coordinate a pen test, or disclose a bug, our security inbox is monitored by the same team that runs our compliance program.
Request the Riposte security briefing
Email [email protected] for our control summary, data flow diagrams, and diligence responses documenting the absence of downstream processors.
Email [email protected]Report a vulnerability
We operate a coordinated disclosure program. Send suspected issues—especially around mail gateway boundaries—to [email protected] with supporting details for rapid triage.
Submit a reportSchedule a security review
Book time with our compliance lead for an architecture walkthrough focused on tenancy isolation and mail provider integrations.
Book a reviewRun Riposte in your cloud.
Deploy the platform in Kubernetes, ECS, or bare metal and keep every message and calendar event inside your security boundary.