Bank-grade data security, designed for financial compliance.
The data flowing through Riftbeacon is among the most sensitive in financial services — transaction records, SAR case files, customer identity data. We treat it accordingly: encryption at rest and in transit, immutable audit trails, and role-based access controls designed for multi-analyst compliance teams.
Layered security for regulated data
Encryption at rest & in transit
All data stored in Riftbeacon is encrypted with AES-256-GCM. All data in transit — API calls, webhooks, database replication — uses TLS 1.3. Encryption keys are managed via AWS KMS with per-customer key isolation.
Role-based access control
Granular RBAC with four standard roles: analyst (alert review), supervisor (case approval), BSA officer (SAR sign-off), and admin (user management). Custom roles available on Scale and Enterprise tiers. MFA enforced for all users.
Immutable audit trail
Every action — alert review, case note, SAR narrative edit, filing submission — is written to an append-only audit log with timestamp and user ID. The log cannot be modified after creation. Designed to satisfy FinCEN examiner evidence standards.
Data residency options
US data residency (AWS us-east-1) is standard for all plans. Enterprise tier offers EU-residency deployment (AWS eu-west-1) for institutions with cross-border obligations. Data never leaves your selected region without explicit configuration.
Penetration testing
Annual penetration tests conducted by a third-party security firm (NDA with clients on request). Riftbeacon API endpoints, web application, and data access controls are in scope. Findings addressed within defined SLA based on severity.
SOC 2 controls in progress
SOC 2 Type II controls are designed and implemented. Audit engagement is underway with an AICPA-registered auditor. We expect to publish the audit report in Q3 2026. We will not claim SOC 2 certified until the audit is complete and the report is issued.
Our approach to regulatory and security frameworks
| Framework / Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | In Progress | Controls implemented. Audit underway. Report expected Q3 2026. |
| AES-256 Encryption at Rest | Active | AWS KMS per-customer key isolation. All storage volumes encrypted. |
| TLS 1.3 Encryption in Transit | Active | All API and web traffic. TLS 1.1 and 1.2 disabled. |
| RBAC & MFA | Active | MFA enforced for all accounts. Role-based access control on all data. |
| Annual Penetration Test | Active | Third-party pentest annually. Results available under NDA to Enterprise clients. |
| Data Residency (US) | Active | All data stored in AWS us-east-1 by default. EU option: Enterprise only. |
| Vulnerability Disclosure Policy | Active | Responsible disclosure: [email protected]. Critical issues patched within 24h SLA. |
Security documentation available under NDA
Our security package — penetration test executive summary, control implementation details, and infrastructure overview — is available to Enterprise pilot clients under mutual NDA.