Trust & Security Center

Security Practices

Industry-leading security controls and monitoring

• Encryption: AES-256 at rest, TLS 1.3+ in transit
• Access Controls: Role-based access with MFA enforcement
• Monitoring: 24/7 security monitoring and incident response
• Penetration Testing: Annual third-party security assessments
• Vulnerability Management: Automated scanning and patch management

Infrastructure Security

Enterprise-grade cloud infrastructure

• SOC 2 Type II Infrastructure: Operates on Supabase's SOC 2 Type II certified infrastructure (report available upon request)
• AWS Security: Multi-region redundancy and DDoS protection
• Database Security: Automated backups with point-in-time recovery
• Network Isolation: VPC isolation and private networking
• 99.9% Uptime SLA: Highly available architecture

Compliance & Privacy

Meeting global data protection standards

• GDPR Compliant: Full compliance with EU data protection regulations
• CCPA Compliant: California Consumer Privacy Act adherence
• Standard Contractual Clauses: EU-approved data transfer mechanisms
• Data Processing Agreement: Available for Business/Enterprise customers
• Privacy by Design: Data minimization and purpose limitation
• 72-Hour Breach Notification: Prompt notification of security incidents

Healthcare Industry Clarification

Important Note for Healthcare Organizations:

RRR is a vendor risk assessment platform that analyzes publicly available information about third-party vendors. We do NOT:

• Process, store, or transmit Protected Health Information (PHI)
• Act as a Business Associate under HIPAA regulations
• Require a Business Associate Agreement (BAA) for use

Why This Matters:

• RRR analyzes vendor websites, documentation, and public policies
• We help you evaluate vendors BEFORE you share any PHI with them
• Your organization's PHI never enters the RRR platform
• Assessment data contains only vendor URLs and your evaluation preferences

If You Require a BAA: For organizations with specific compliance requirements that extend beyond our standard service scope, please contact enterprise@rrr.dev to discuss custom arrangements.

Data Scope & Processing

RRR does not process, store, or transmit Protected Health Information (PHI), payment card data (PCI), or other regulated sensitive data categories.

RRR is a vendor risk assessment platform that analyzes publicly available information about third-party vendors. We help organizations evaluate vendor security, privacy, and compliance postures before procurement decisions.

What we process: Vendor URLs, publicly available vendor documentation, your organization's assessment preferences, and user account information. We do not access, process, or store your customers' data, health records, financial transactions, or other sensitive business data.

Incident Response & Breach Notification

We maintain comprehensive incident response procedures:

• 72-Hour Notification: Written notification to affected customers within 72 hours of confirmed security incident
• Incident Details: Nature of the incident, data affected, remediation steps taken, and recommended customer actions
• Regulatory Compliance: Notifications comply with GDPR, CCPA, and other applicable data protection regulations
• Post-Incident Review: Root cause analysis and preventive measures shared with affected parties

Vulnerability Disclosure

Safe harbor for security researchers

• Responsible Disclosure Program: Safe harbor for good-faith research
• 48-Hour Response: Initial acknowledgment within 2 business days
• 90-Day Disclosure: Coordinated disclosure timeline

View Full Security Policy →

Security Resources

Legal & Compliance Documents

• Privacy Policy
• Terms of Service
• AI Disclosure Addendum
• Cookie Policy
• Security Policy
• Data Processing Agreement (DPA) (PDF)

Security Contacts

• Report a Vulnerability: security@rrr.dev
• Data Protection Officer: privacy@rrr.dev
• Data Processing Agreement: View DPA | Download PDF
• Security.txt: https://rrr.dev/.well-known/security.txt

Sub-Processors & Service Providers

Last updated: December 9, 2025

We work with trusted third-party service providers who are bound by strict data protection obligations. We notify customers of material sub-processor changes with at least 30 days advance notice.

Infrastructure

• Supabase (SOC 2 Type II)
• AWS (SOC 2, ISO 27001)
• Lovable.dev (SOC 2 Type II, ISO 27001)
• GitHub (SOC 2 Type II, ISO 27001)

AI & Analysis

• OpenAI (GPT-5 models)
• Google (Gemini models)
• Firecrawl
• Trigger.dev

Business Operations

• Stripe (PCI DSS Level 1)
• Resend
• PDFShift
• Google reCAPTCHA

For the complete list of sub-processors and their purposes, see our Privacy Policy.