Security

Last Updated: April 22, 2026

1.Our Commitment

Ricord is infrastructure for your most sensitive work: the knowledge, conversations, and decisions that define how you and your team think. We treat security as a first-class product concern, not a checklist.

2.Infrastructure

  • Hosted on Google Cloud (us-central1), running on fully-managed Cloud Run with automatic patching.
  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256, Google-managed keys).
  • Production services isolated in a dedicated GCP project with least-privilege IAM.
  • Secrets managed in Google Secret Manager; no credentials in source code or container images.
  • Automated daily backups of primary datastores with point-in-time recovery.

3.Authentication & Access

  • Firebase Authentication with Google SSO and email/password.
  • API access gated by signed Firebase ID tokens; short-lived by design.
  • Team plans enforce per-workspace scoping — team members cannot access each other’s private memory.
  • All administrative access to production is logged and reviewed.

4.Data Handling

  • Your data is yours. We never use customer memory or conversation content to train third-party models.
  • Account deletion removes all stored knowledge, embeddings, and graph edges within 30 days.
  • GDPR and CCPA data-subject requests (export, deletion, rectification) handled within 30 days. See the Privacy Policy.
  • A Data Processing Agreement is available for Team and Enterprise customers. See the DPA.

5.Application Security

  • Dependency vulnerability scanning on every build.
  • Content-Security-Policy, HSTS, and secure-cookie headers on all web surfaces.
  • Rate limiting and abuse detection on public API endpoints.
  • Input validation and output encoding at every trust boundary.

6.Compliance

Ricord is designed to support GDPR and CCPA obligations out of the box. SOC 2 Type II certification is on our roadmap; in the interim, enterprise customers can request our security questionnaire responses and current controls summary.

7.Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@ricord.ai with a clear description, reproduction steps, and impact. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond.

We commit to acknowledging your report within 3 business days, providing a triage update within 10 business days, and crediting researchers who responsibly disclose valid findings.

8.Contact

Security questions, audit requests, or DPA requests: security@ricord.ai