Security & compliance
How we handle your people's data, your company's IP, and the compliance paperwork that keeps InfoSec from blocking the PO.
Current practices
Encryption in transit + at rest
All traffic TLS 1.2+ via Let's Encrypt on Cloudflare. Database at rest encrypted via Railway-managed Postgres (AES-256).
Access control
Least-privilege IAM on Railway, Postgres, and Redis. Production access gated by SSO + hardware key. Audit log retained.
Data segregation
Enterprise customer data is segregated per engagement. We never commingle cohort data across customers. PHI stays in customer VPCs on request.
Incident response
24-hour notification SLA for security incidents affecting customer data. Runbooks rehearsed quarterly.
Compliance roadmap
- ✓
DPA available on request
Standard Data Processing Agreement for EU/UK customers. Email legal@rugvailabs.com.
- ✓
HIPAA BAA on request
For healthcare enterprise engagements. PHI never leaves your VPC in the enterprise deployment model.
- ~
SOC 2 Type II — in progress
Audit engagement initiated. Targeting completion in the second half of 2026. Interim gap-assessment letter available on request for procurement.
- ~
SSO (SAML / OIDC) — enterprise tier
Available for enterprise engagements. Okta, Google Workspace, Azure AD supported.
Need the full security questionnaire filled out?
We regularly complete SIG-Lite, CAIQ, and vendor-specific forms. Send yours to security@rugvailabs.com and we turn it around within 5 business days.