Security at RiskWatch
RiskWatch holds the same kind of evidence our customers trust us to manage on their own behalf: assessment scores, control attestations, regulator-facing artifacts, and the personal data that backs them up. We protect it the same way our customers expect their auditors and regulators to protect their data, independently audited (SOC 2 Type II, ISO 27001:2022), encrypted in transit and at rest, segmented by tenant, and operated under documented incident-response and disclosure SLAs.
Trusted with sensitive compliance evidence by regulated customers across financial services, healthcare, government contractors, oil and gas, and manufacturing, and reviewed annually by independent auditors against SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 Annex A controls.
Compliance certifications
RiskWatch is the platform our customers use to evidence compliance to their own auditors and regulators. We are audited the same way. SOC 2 Type II covers ongoing operating effectiveness, not just design. ISO/IEC 27001:2022 includes the new Annex A controls. HIPAA and GDPR alignment is documented in our control matrix and reviewed during the SOC 2 examination.
Security · Availability · Confidentiality
Annual Type II examination performed under AICPA SSAE 18 covering the Security, Availability, and Confidentiality Trust Services Criteria. Type II report describes the operating effectiveness of controls over a 12-month observation window.
Information Security Management System
Certified to the 2022 revision of ISO/IEC 27001 covering the full Annex A control set (93 controls across 4 themes) for the RiskWatch SaaS platform and supporting corporate functions. Three-year certification cycle with annual surveillance audits.
Administrative · Physical · Technical safeguards
RiskWatch operates under a documented HIPAA control mapping covering 45 CFR 164 Subparts C (Security Rule) and E (Privacy Rule applicable to business-associate functions). Business Associate Agreements (BAAs) available for customers using RiskWatch to manage HIPAA programs. HIPAA controls reviewed within the SOC 2 Type II observation.
Articles 28, 30, 32, 33 · EU residency
RiskWatch acts as a processor for customer personal data and complies with GDPR processor obligations under Article 28 (DPA terms), Article 30 (records of processing), Article 32 (security of processing), and Article 33 (breach notification). Standard Contractual Clauses (2021/914) attached to the DPA for any non-EU data flow. EU customers can elect EU-Frankfurt residency at provisioning.
Customers and prospects under NDA can request the SOC 2 Type II report, ISO 27001 certificate + statement of applicability, and the most recent penetration-test executive summary at security@riskwatch.com.
Security architecture
Six controls do most of the work in any modern SaaS security review. Below is exactly how RiskWatch implements each one. Every layer is covered in the SOC 2 Type II report and tested in the annual third-party penetration test.
Customer traffic to the RiskWatch application reaches us over TLS 1.3 with modern cipher suites only. Data at rest is AES-256 encrypted using AWS KMS-managed keys with customer-tenant scoping in the encryption envelope. Backups inherit the same key hierarchy.
Customers can require SAML 2.0 SSO through any identity provider that supports the standard (Okta, Azure AD / Entra ID, Google Workspace, OneLogin, Ping). MFA is enforced for all administrative roles and available to every user. Session lifetimes and idle timeouts are tenant-configurable.
Every user is assigned to a role that scopes which assessments, evidence, and reports they can read or change. The role library ships with separation-of-duties templates (assessor, reviewer, approver) and customers can extend it. All authorization decisions are logged and surfaced in the audit trail.
Customers select a primary processing region at provisioning. Data, including backups, does not move out of that region for any reason short of a documented disaster-recovery scenario. EU customers stay in eu-central-1 (Frankfurt). US customers run in us-east-1 (N. Virginia) with optional cross-AZ replication.
Continuous database snapshots and point-in-time recovery within the primary region. Documented disaster-recovery runbook with annual restoration testing. Recovery objectives are published and reviewed during the SOC 2 Type II Availability examination.
Continuous dependency scanning, weekly authenticated infrastructure scans, and an annual third-party penetration test against the production application and APIs. Findings are tracked to remediation in our internal RiskWatch tenant, same workflow customers use for their own programs.
Subprocessors
GDPR Article 28 and most enterprise DPAs require us to publish the subprocessors that process customer personal data on our behalf. Below is the canonical list. Material changes (additions, removed processors, region changes) trigger written notice to enterprise customers in line with our DPA. The list is reviewed quarterly.
Cloud infrastructure: compute, managed database (RDS/PostgreSQL), object storage (S3), key management (KMS), networking, and identity for service-to-service auth.
All customer data, assessments, evidence, attachments, audit logs, account metadata.
US-East-1 (N. Virginia) or EU-Central-1 (Frankfurt) per tenant election
Subscription billing, payment processing, invoicing, and tax calculation. Card data is tokenized at Stripe; RiskWatch never stores PAN.
Billing contact details, company name, billing address, payment-method tokens. No assessment data.
Global (Stripe is a PCI DSS Level 1 service provider)
Transactional email delivery: invitations, notifications, password resets, evidence-package share links.
User email address, display name, and the body of the transactional email itself (which may reference assessment names).
United States (sender IPs in US-East)
Application performance monitoring, infrastructure metrics, log aggregation, and uptime alerting. Production logs are scrubbed of customer evidence content before egress.
Server logs, performance metrics, error traces with redacted user identifiers. No assessment evidence content.
Datadog US1 region (US-based ingestion); EU customers can request EU1 ingestion
Source-code management, code review, build artifacts, and infrastructure-as-code change history for the RiskWatch platform. No customer data is stored in GitHub.
RiskWatch employee identities, source code, build artifacts. No customer data.
United States
Material changes to this subprocessor list (adding a new subprocessor with access to customer data, or changing a region) trigger 30-day advance written notice to customers under contract, in line with our standard Data Processing Addendum.
Responsible disclosure
Security researchers play a meaningful role in keeping the RiskWatch platform safe for our customers. We don't currently operate a paid bug-bounty program, but we welcome and acknowledge good-faith reports, prioritize fixing them, and credit researchers who request it.
Send vulnerability reports to security@riskwatch.com. If you'd like to encrypt your report, request our PGP key in the same message and we'll respond with the public key before you send sensitive details. Please include reproduction steps, affected URL or component, and any proof-of-concept material, but do not include actual customer data you may have accessed during testing.
RiskWatch will:
The following are in scope for responsible disclosure:
The following are explicitly out of scope and reports on these will be acknowledged but not actioned:
We will not pursue civil action or initiate complaints to law enforcement for good-faith security research that complies with this policy. We consider activities in line with this policy to be authorized conduct under the Computer Fraud and Abuse Act, the DMCA, and similar laws in other jurisdictions. Please do not access more data than necessary to demonstrate the vulnerability, do not modify or delete data, and do not impact other customers.
Status and reports
Production status is live at status.riskwatch.com. Independently issued reports, SOC 2 Type II, ISO 27001 certificate, and the most recent penetration-test executive summary, are gated by a one-time mutual NDA. Request access and we'll deliver them within 5 business days.
View live system statusFull Type II examination report covering Security, Availability, and Confidentiality Trust Services Criteria. 12-month observation window. Includes auditor opinion, system description, control matrix, and tested controls with results.
Request SOC 2 report (NDA)ISO/IEC 27001:2022 certificate of registration issued by our accredited registrar, plus the Statement of Applicability mapping the 93 Annex A controls to our implementation status. Useful for procurement teams running ISO 27001-aligned vendor reviews.
Request ISO 27001 certificateAnnual third-party penetration test executive summary. Names the testing firm, scope of testing, methodology (OWASP, PTES), and remediation status of any identified findings. The full report (with reproduction details) is available under enterprise NDA.
Request pen-test summaryPre-completed responses to SIG (Standardized Information Gathering), CAIQ (Cloud Security Alliance Consensus Assessments Initiative Questionnaire), and CSA STAR Level 1 self-assessment. Save your security team a week of cycle time.
Request SIG / CAIQ / CSA STARAll gated reports are delivered after a one-time mutual NDA. Existing customers under contract have NDA coverage already and can request reports through their account team.
Need our reports for your TPRM workflow?
RiskWatch is the platform our customers run their own third-party risk programs on. We know what your security team is going to ask, and we've already answered it. Talk to our team to scope the right report bundle for your review, or open a sales conversation if you're evaluating RiskWatch as a vendor.
Or call US: +1 941-500-4525
