Security

Security & trust at RiskABC

You are trusting us with your compliance program — control libraries, risk register, evidence, and policies. Here is how we protect that data without getting in your way.

Multi-factor authentication
TOTP-based MFA available for every user. We require it on system administrator accounts and recommend it for all org admins and consultants.
  • Works with any standard authenticator app
  • QR-code enrolment with one-time recovery code
  • Required on all platform-wide admin accounts
Encryption everywhere
Your data is encrypted on the wire and on disk. Uploaded policy and evidence files are encrypted before they hit storage. Backups are encrypted before they leave the server.
  • TLS for every connection — public and internal
  • Database encrypted at rest
  • Uploaded files encrypted on disk per organization
  • Backups encrypted client-side before upload
Role-based access & tenant isolation
Seven distinct roles — from read-only auditor to org admin — let you give each person exactly the access they need. Every record is scoped to your organization at the database layer; there is no shared or cross-tenant data path.
  • Org Admin, Compliance Officer, Risk Manager, Evidence Owner
  • Auditor (read-only), Consultant, Privileged Consultant
  • External auditor seats are read-only and free
  • Cross-tenant access is impossible by design
Immutable audit trail
Every meaningful action is logged with the user, the time, and the source IP. Updates capture a field-level before / after snapshot — so you can see exactly what changed and what it was.
  • 10 action types covering create, update, delete, login, export
  • Field-level diff modal on every update
  • Logs are append-only — no edit, no delete
  • Failed logins captured with reason + source IP
Session security
Login sessions use short-lived signed tokens. A password change or admin-initiated reset invalidates every active session for that user immediately — not at the next refresh.
  • Short-lived signed access tokens
  • Password change kills all in-flight sessions
  • Tokens never persisted to browser storage
Backups & recovery
Database, identity keys, and TLS material are backed up on a Grandfather-Father-Son schedule and replicated to encrypted offsite storage. Every dump is encrypted before it leaves our server.
  • Daily, monthly, and yearly retention
  • Replicated to encrypted offsite storage
  • Restore tested — not assumed
  • Per-customer database backups available on request
Responsible disclosure
If you find a security issue, tell us privately first. We acknowledge every report and work in good faith on a fix and disclosure timeline.
  • Email: security@risk-abc.com
  • We will not pursue good-faith research
  • Public credit on request once a fix is shipped

This page is a high-level overview. Specific algorithms, key lengths, retention windows, and configuration details are shared on request, under NDA, with prospective and current customers.

Built to pass the same audits you run

RiskABC manages compliance programs for ISO 27001, CMMC, NIST 800-171, HIPAA, and SOC 2 customers. We hold ourselves to the same bar.

Schedule a Demo View Pricing