Privacy and Security

Security and privacy are at the core of our platform. 

Platform Governance

Our platform maintains the highest level of security to stay compliant across all major protocols necessary for operation in the digital health space.

Core Principles


Access is maintained by management, and permissions are granted based on principle of least privilege


We implement multi-faceted security measures in a layered structure to maintain the highest level of defense.


All portions of the platform are tested internally and externally to ensure security measures operate across the whole platform.


We continue to monitor security policies and adapt to growing needs, in order to implement the most up-to-date requirements.

Security and Compliance

RiskAverse maintains SOC 2 Type II and ISO 27001 compliance. As well as the following:

Data Protection

At Rest

All customer data is encrypted at rest, and sensitive collections/tables use row-level encryption. This approach ensures neither physical nor logical access to the database is sufficient to read sensitive information.

In Transit

Data in transit uses TLS 1.2 or higher and HSTS when data is transmitted across potentially insecure networks. Server TLS keys and certificates are managed on AWS via Heroku, a Salesforce company.

Secret Management

Encryption keys are managed via AWS key Management System. This system prevents direct access by any individuals, including employees of Amazon and RiskAverse. The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs.

Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.

Platform Security

Penetration Testing

RiskAverse utilizes Astra as its 3rd-party penetration testing partner. Automated and Manual pentests are conducted every six months to maintain maximum security.

Vulnerability Scanning

RiskAverse incorporates vulnerability scanning across our Development Lifecycle

  • SAST testing of code during pull requests
  • Malicious dependency scanning
  • Network vulnerability scanning
  • Software composition analysis
  • Dynamic analysis of running applications
  • External attack surface management

Company Security

Secure Endpoints

All company devices are equipped with management software and anti-malware protection. Endpoints follow all protocols necessary for secure operation

Secure Remote Access

Only approved devices are utilized to access any information pertaining to the platform, and the vendor, Sophos, is used to monitor usage while inhibiting access to concerning sites.

Employee Education

All employees receive extensive security training during onboarding, and must review it annually. Learnings include maintaining HIPAA compliance and  identifying suspicious activity.

Engineering also conducts roundtables for disaster relief every 6 months.

Access Management

Employees are only granted access to the platform and vendors through permissions granted by engineering and monitored by management.

Once access is granted, two-factor authentication is required on all devices that access any solution that contains company or customer data. 

Vendor Assessment

Before onboarding new vendors, RiskAverse executes an thorough examination of the vendor’s ability to maintain compliance within the bounds of our requirements. Including:

  • Access to customer and company data
  • Integrating with the production environment
  • Brand quality

Once completed, security is evaluated and our customers/partners are informed of the implementation.

Data Privacy


RiskAverse maintains a privacy shield that is managed through Heroku.


RiskAverse constantly evaluates updates to regulatory frameworks, and evolves to the ever-changing landscape.


View RiskAverse’s Privacy Policy

Security Concerns?

Email with your issue.