At Riff, protecting your data is our top priority. Privacy, security, and compliance are built into our product from day one. We combine proactive safeguards, transparent processes, and user controls to make sure your data stays safe.
Compliance and Certifications
Riff follows best-in-class security practices and meets internationally recognised standards:
SOC 2 Type II – Independent audit confirming controls for security, availability, and confidentiality.
ISO 27001 – Certified against international information security management standards.
GDPR & UK GDPR – Fully compliant with European and UK data privacy regulations.
PCI DSS – All payments are processed securely via Stripe, certified as a PCI Level 1 Service Provider.
Penetration testing – Regular third-party security assessments using industry best practices.
Identity and Access Management
We provide robust identity controls and admin features to keep accounts secure:
Single Sign-On (SSO): Integration with Azure AD, Okta, Google, or OpenID providers.
SAML & SCIM: Automated user provisioning and enterprise identity management.
Multi-Factor Authentication (MFA): Required for all user accounts.
Role-based permissions: Restrict access to sensitive functions.
Data Encryption and Backups
Your data is protected with strong encryption and resilient backups:
Encryption at rest: All data and backups secured with AES-256.
Encryption in transit: TLS 1.2 for all browser–server communications.
SSL security: A+ rated with HSTS enabled via Azure.
-
Automated backups:
Weekly backups retained for 1 month
Monthly backups retained for 1 year
Yearly backups retained for 2 years
Point-in-time recovery available for 7 days
AI and Your Data
Riff uses AI tools to help analyse data, but your privacy remains protected:
Your data is never shared across customers and not used to train models outside your account.
All AI features follow the same encryption and compliance standards as the rest of Riff.
Disaster Recovery and Business Continuity
We have detailed recovery and continuity plans to minimise disruption:
Recovery Point Objective (RPO): 12 hours
Recovery Time Objective (RTO): 24 hours
Critical systems (servers, databases) restored first
Plans rehearsed regularly with updates applied as needed
Cloud-first infrastructure ensures operations can continue remotely if offices are unavailable
Data Retention and Deletion
Customers can request data deletion at any time, unless legally restricted.
After subscription cancellation, you have 30 days to download your data. After that, Riff may delete all customer data.
Logging, Monitoring, and Vulnerability Management
Riff continuously monitors for threats and enforces secure development practices:
Logging: Security-relevant events, privileged account activity, and firewall traffic.
Monitoring: Alerts for unusual behaviour.
Vulnerability management: Code reviews, automated scanning, penetration testing, and secure-by-default infrastructure.
Employee and Vendor Security
We secure both our team and our partners:
Employee screening: Background checks before joining Riff.
Security training: Onboarding plus annual refreshers.
Endpoint protection: Encryption, firewalls, antivirus, and monitoring on staff devices.
Vendor management: Vendors must meet standards such as SOC 2 or ISO 27001. They are reviewed regularly, with contingency plans in place for outages.
Incident Response and Data Breach Handling
Riff has a documented Incident Response Plan (IRP), rehearsed annually.
Customers are notified without undue delay if a breach occurs.
Updates are shared until the issue is resolved.
Our IRP includes escalation, containment, remediation, and root cause analysis.
To date, Riff has not experienced a data breach.
Data Ownership and Privacy
Customer Data: Anything you upload (e.g., analysis, transactions). You own it.
Account Information: Details such as names, billing info, and login credentials. Managed under Riff’s Privacy Policy.
Vendors handling personal data must follow the same security and privacy standards as Riff.
Infrastructure and Hosting
Riff is hosted on Microsoft Azure, with ISO 27001 / SSAE 18 certified data centres.
Primary hosting in Australia
Azure physical security controls
Optional hosting in other regions for businesses with data sovereignty requirements
Business Continuity
Riff’s Business Continuity Plan ensures operations can continue even during service outages.
Cloud-first design means staff can work securely from anywhere.
The plan is reviewed annually, with lessons learned after each rehearsal.
Data Breach Definition and Notification
A data breach means sensitive data has been accessed, disclosed, or used in a way not permitted by privacy law.
If a breach occurs:
Customers are notified promptly via email and phone (if available).
Regular updates are provided until resolved.
Our Commitment
At Riff, we maintain the highest security standards to protect our customers, our team, and our systems. From encryption and compliance to staff training and vendor management, security is embedded into everything we do.
If you have questions about Riff’s data protection practices, please contact us at support@letsriff.ai