Security

Last Updated: January 1, 2025

1. Our Security Commitment

Security is foundational to Rial's design. We use industry-leading cryptographic techniques and security practices to protect your data and ensure the integrity of our verification services.

2. Cryptographic Security

2.1 Zero-Knowledge Proofs

• Groth16: Industry-standard zk-SNARK construction for compact proofs
• Halo2: Transparent, recursive proof system for complex transformations
• Circom 2.0: Audited circuit compiler for proof generation
• Privacy by Design: Proofs reveal nothing beyond the verified statement

2.2 Encryption

• In Transit: TLS 1.3 for all network communications
• At Rest: AES-256 encryption for stored data
• End-to-End: Proof generation happens on-device
• Key Management: Hardware-backed key storage (Secure Enclave, Android Keystore)

2.3 Hardware Security

• iOS Secure Enclave: Private keys never leave device hardware
• Android Keystore: Hardware-backed key attestation
• App Attestation: Verifies app authenticity and integrity
• Tamper Detection: Detects jailbroken/rooted devices

3. Infrastructure Security

3.1 Cloud Infrastructure

• Provider: AWS (US-East-1, US-West-2 for redundancy)
• Isolation: VPC with private subnets and security groups
• Access Control: Principle of least privilege for all services
• Monitoring: 24/7 intrusion detection and anomaly detection

3.2 Network Security

• DDoS Protection: AWS Shield and CloudFlare
• WAF: Web Application Firewall for API endpoints
• Rate Limiting: Per-IP and per-account limits
• Geo-Blocking: Optional geographic restrictions for enterprise

3.3 Database Security

• Encryption: All databases encrypted at rest and in transit
• Backups: Automated daily backups with 30-day retention
• Access Logging: All database queries logged and audited
• Isolation: No direct internet access to databases

4. Application Security

4.1 Secure Development

• Code Review: All code reviewed before deployment
• Static Analysis: Automated security scanning (Semgrep, CodeQL)
• Dependency Scanning: Automated vulnerability checks (Snyk)
• CI/CD Security: Signed commits, protected branches, audit logs

4.2 API Security

• Authentication: API keys with rotation policies
• Authorization: Granular permissions per API endpoint
• Input Validation: Strict validation and sanitization
• Output Encoding: Protection against injection attacks

4.3 Mobile App Security

• Code Obfuscation: ProGuard (Android), SwiftShield (iOS)
• Certificate Pinning: Prevents man-in-the-middle attacks
• Root Detection: Warns users of compromised devices
• Secure Storage: iOS Keychain, Android EncryptedSharedPreferences

5. Operational Security

5.1 Access Control

• MFA Required: Multi-factor authentication for all employee access
• SSO: Single sign-on with Okta for corporate accounts
• Privileged Access: Time-limited, audited access to production
• Offboarding: Immediate revocation of access upon termination

5.2 Monitoring and Logging

• Centralized Logging: All logs aggregated and analyzed (Datadog)
• Alerting: Real-time alerts for suspicious activity
• Log Retention: 90 days for operational logs, 7 years for audit logs
• SIEM: Security Information and Event Management integration

5.3 Incident Response

• Response Team: Dedicated security incident response team
• Playbooks: Documented procedures for common scenarios
• Communication: Incident notification within 72 hours
• Post-Mortem: Root cause analysis and remediation for all incidents

6. Compliance and Auditing

6.1 Compliance

• GDPR: Full compliance for EU/EEA users
• CCPA: Compliance with California privacy laws
• SOC 2 Type II: Annual audit (in progress)
• HIPAA: BAA available for healthcare customers

6.2 Security Audits

• Penetration Testing: Annual third-party penetration tests
• Vulnerability Scanning: Weekly automated scans
• Code Audit: Third-party cryptography audit (completed Q3 2024)
• Bug Bounty: Responsible disclosure program (see below)

7. Data Security

7.1 What We Store

• Cryptographic Hashes: SHA-256 hashes of images (not the images)
• Proofs: Zero-knowledge proofs of verification
• Metadata: Encrypted metadata (GPS, timestamps)
• Account Data: Email, name, company (encrypted)

7.2 What We DON'T Store

• Your Photos: Never stored on our servers
• Photo Content: We don't analyze or access image content
• Unencrypted Location: GPS data is zero-knowledge verified
• Payment Details: Handled by Stripe (PCI DSS Level 1)

7.3 Data Deletion

• User Deletion: Immediate upon request
• Automatic Cleanup: Unused data deleted after 2 years
• Blockchain Data: Cryptographic commitments are permanent
• Backup Retention: 30 days, then securely deleted

8. Responsible Disclosure

8.1 Bug Bounty Program

We welcome security researchers to help us maintain the security of our services.

8.2 Reporting Vulnerabilities

To report a security vulnerability:

• Email: security@rial.app
• PGP Key: Available at rial.app/pgp-key.txt
• Scope: Mobile apps, API, web services, cryptographic implementation

8.3 What to Include

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested remediation (if applicable)

8.4 Our Response

• Acknowledgment: Within 24 hours
• Initial Assessment: Within 72 hours
• Resolution: Critical issues patched within 7 days
• Recognition: Hall of Fame for responsible disclosures

8.5 Rewards

Bounty amounts based on severity (CVSS score):

• Critical (9.0-10.0): Up to $10,000
• High (7.0-8.9): Up to $5,000
• Medium (4.0-6.9): Up to $1,000
• Low (0.1-3.9): Recognition in Hall of Fame

9. Employee Security

9.1 Training

• Security Awareness: Quarterly security training for all employees
• Phishing Simulations: Regular phishing tests
• Secure Coding: Annual secure development training
• Incident Response: Tabletop exercises twice yearly

9.2 Background Checks

• Background checks for employees with production access
• NDA and security agreements for all employees and contractors

10. Third-Party Security

10.1 Vendor Management

• Assessment: Security review of all third-party vendors
• Contracts: Data processing agreements (DPAs) with all vendors
• Monitoring: Ongoing monitoring of vendor security posture

10.2 Third-Party Services

• AWS: SOC 2, ISO 27001 certified infrastructure
• Stripe: PCI DSS Level 1 payment processing
• Cloudflare: DDoS protection and CDN

11. Security Roadmap

11.1 Current Initiatives

• SOC 2 Type II audit (Q1 2025)
• ISO 27001 certification (Q2 2025)
• Enhanced tamper detection (Q1 2025)
• Hardware security module (HSM) integration (Q2 2025)

11.2 Future Enhancements

• Formal cryptographic verification of circuit implementations
• Multi-party computation for enhanced privacy
• Quantum-resistant cryptography migration plan

12. Contact

For security questions or concerns:

Security Team:
Email: security@rial.app
PGP: Download Public Key

---

Security is a journey, not a destination. We continuously invest in security improvements and welcome feedback from our users and the security community.