Security

Security and privacy are foundational to everything we build. This page outlines our principles, practices, and how to report vulnerabilities.

Security Principles

Privacy By Default

All user data is encrypted at rest and in transit. We collect only what is necessary to provide our services. We do not sell user data. We do not build advertising profiles.

Data Minimization

We limit data collection to the minimum required for functionality. Unused data is deleted. Access to user data is restricted to essential personnel only.

Secure By Design

Security is built into our ecosystems from the beginning, not added as an afterthought. We follow industry best practices for authentication, authorization, and data protection.

Transparency

Our security practices are documented openly. When incidents occur, we disclose them clearly and take action to prevent recurrence.

Edge Protection

We use Cloudflare for edge security and protection:

  • TLS Encryption — All traffic is encrypted using modern TLS protocols
  • Web Application Firewall (WAF) — Protection against common attack vectors
  • DDoS Mitigation — Automated protection against distributed denial-of-service attacks
  • Rate Limiting — Prevention of abuse and brute-force attempts
  • Security Headers — Implementation of best-practice HTTP security headers
  • Bot Protection — Filtering of malicious automated traffic

Application Security

Our ecosystems implement multiple layers of security:

  • Authentication — Secure user authentication with encrypted credentials
  • Authorization — Role-based access control to limit data exposure
  • Input Validation — All user input is validated and sanitized
  • Content Security Policy — Strict CSP rules to prevent injection attacks
  • Secure Storage — Sensitive data is encrypted before storage
  • Regular Updates — Dependencies and infrastructure are kept current

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in any of our ecosystems, please report it responsibly:

How To Report

Email security concerns to: legal@rifid.co

Include the following in your report:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Your contact information (optional)

What To Expect

  • We will acknowledge receipt within 48 hours
  • We will investigate and provide updates on our progress
  • We will work to resolve confirmed vulnerabilities promptly
  • We will credit responsible researchers (if desired) after resolution

Our Commitment

We will not pursue legal action against researchers who:

  • Report vulnerabilities in good faith
  • Avoid privacy violations and data destruction
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Allow us reasonable time to address the issue before public disclosure

Important Notes

We do not currently hold third-party security certifications such as SOC 2 or ISO 27001. We are committed to security best practices and will pursue formal certifications as our organization grows.

For ecosystem-specific security details, please refer to the security documentation on each ecosystem's website.