Security
Last Updated: April 22, 2026
1.Our Commitment
Ricord is infrastructure for your most sensitive work: the knowledge, conversations, and decisions that define how you and your team think. We treat security as a first-class product concern, not a checklist.
2.Infrastructure
- Hosted on Google Cloud (us-central1), running on fully-managed Cloud Run with automatic patching.
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256, Google-managed keys).
- Production services isolated in a dedicated GCP project with least-privilege IAM.
- Secrets managed in Google Secret Manager; no credentials in source code or container images.
- Automated daily backups of primary datastores with point-in-time recovery.
3.Authentication & Access
- Firebase Authentication with Google SSO and email/password.
- API access gated by signed Firebase ID tokens; short-lived by design.
- Team plans enforce per-workspace scoping — team members cannot access each other’s private memory.
- All administrative access to production is logged and reviewed.
4.Data Handling
- Your data is yours. We never use customer memory or conversation content to train third-party models.
- Account deletion removes all stored knowledge, embeddings, and graph edges within 30 days.
- GDPR and CCPA data-subject requests (export, deletion, rectification) handled within 30 days. See the Privacy Policy.
- A Data Processing Agreement is available for Team and Enterprise customers. See the DPA.
5.Application Security
- Dependency vulnerability scanning on every build.
- Content-Security-Policy, HSTS, and secure-cookie headers on all web surfaces.
- Rate limiting and abuse detection on public API endpoints.
- Input validation and output encoding at every trust boundary.
6.Compliance & Controls
Ricord is designed to support GDPR and CCPA obligations out of the box. SOC 2 Type II certification is on our roadmap; in the interim, the following controls are in effect today and available for review by enterprise buyers under NDA.
| Domain | Control |
|---|---|
| Access | Least-privilege IAM; all production access is MFA-gated and logged. |
| Change management | Every production change ships through reviewed CI/CD; no direct-to-prod. |
| Vulnerability management | Automated dependency scanning on every build; critical CVEs patched within 7 days. |
| Incident response | Documented runbook; security@ricord.ai on-call; customer notification within 72 hours of a confirmed material incident. |
| Backup & recovery | Daily automated backups of primary datastores; tested quarterly. |
| Business continuity | Multi-zone Cloud Run deployment; stateless services; regional failover plan. |
| Subprocessors | Current list: Google Cloud (hosting), Firebase (auth), Stripe (billing). Full list available on request. |
| Data residency | All production data stored in US-central region. EU residency available on Team and Enterprise plans. |
Enterprise buyers can request our current security questionnaire responses (SIG Lite / CAIQ) by emailing security@ricord.ai.
7.Responsible Disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@ricord.ai with a clear description, reproduction steps, and impact. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond.
We commit to acknowledging your report within 3 business days, providing a triage update within 10 business days, and crediting researchers who responsibly disclose valid findings.
8.Contact
Security questions, audit requests, or DPA requests: security@ricord.ai