Trust

Security at Riffs.

Built for importers who require trust, transparency, and the highest standards of data protection.

Riffs is designed with security and compliance at the core. We follow industry best practices for protecting importer data, ensuring confidentiality, integrity, and availability across our platform.

01 · Our Commitment

Our Commitment

We work with independent auditors, security partners, and legal experts to validate that our systems meet strict requirements. Security is not a feature. It's a precondition for serving importers who handle sensitive trade data, customer relationships, and financial flows.

02 · Certifications & Audits

Certifications & Audits

SOC 2 Type II Audit in progress

Riffs is actively undergoing an independent SOC 2 Type II audit with a certified third-party auditor. This audit validates that our controls for security, availability, and confidentiality are designed and operating effectively. We will update this page and publish our SOC 2 report once the audit is finalized.

GDPR Aligned

Riffs maintains operational practices aligned with the principles of GDPR, including data minimization, transparency, and user rights. While not required to be GDPR-certified, our data handling processes follow the world's most stringent privacy guidelines.

Business Continuity

Documented business continuity and disaster recovery processes, with regular testing of failover and restore procedures.

03 · Security Program

Security Program Overview

Our security program includes:

  • Continuous monitoring and alerting across infrastructure and application layers
  • Regular vulnerability scanning and penetration testing
  • Mandatory secure-development training for all engineering staff
  • Code review and approval requirements for all production changes
  • Documented incident response procedures with on-call rotation
  • Annual third-party security assessments
04 · Infrastructure

Enterprise-Grade Infrastructure

Riffs is hosted on AWS, leveraging security-hardened cloud environments with industry-leading certifications (ISO 27001, SOC 2, PCI-DSS, etc. at the AWS level).

Data in transit

TLS 1.2+ encryption for all data flowing in and out of the Platform.

Data at rest

AES-256 encryption applied to all stored Customer Data, including backups.

05 · Access Controls

Access Controls

  • SSO + MFA enforcement for all employee access to production systems
  • Principle of least privilege. Engineers and operators receive only the access required for their role
  • Continuous activity logging of all administrative actions
  • Quarterly access reviews with automatic deprovisioning on role change or departure
06 · Data Processing

Data Processing Addendum (DPA)

Riffs offers a standard Data Processing Addendum (DPA) for customers requiring formal contractual data protection terms. Our DPA covers controller-processor obligations, sub-processor management, security measures, breach notification, and international data transfer mechanisms.

Request a DPA at security@tryriffs.com.

07 · Trust Center

Trust Center

We provide the following documentation on request:

  • SOC 2 Type II report (once available)
  • Security questionnaire responses (CAIQ, SIG)
  • Penetration test summary
  • Architecture and data-flow diagrams
  • Sub-processor list
Security Inquiries
Request access →