Security · Trust overview

Trust & security.

Effective date: 23 April 2026 Last updated: 23 April 2026 Version: 1.4

This page answers the questions procurement, security, and compliance teams typically ask before they onboard a new vendor. If we've missed something, email [email protected] and we aim to answer within one business day — and add the question here for the next reader.

Breach notification ≤ 72h GDPR Article 33 aligned

Primary hosting EU EEA datacentre, SCCs in place

Vuln disclosure ~1 BD target first response

Data export 60d post-termination

1. Hosting & architecture

The rptxsoftware.com marketing site is served as a static site from a global CDN. AskFolder runs as a containerised application on dedicated EU infrastructure, with its relational database and vector search index running alongside on audited Tier-1 providers. Each service is isolated by container and network boundary. Uploaded documents are held in object storage that encrypts every object with AES-256 at rest by default. Large-language-model inference, text embedding, and reranking are provided by established AI vendors under contractual no-training terms.

The authoritative list of every third-party system that processes customer data is published at /subprocessors and updated whenever it changes. Detailed architecture diagrams, specific vendor topology, and infrastructure inventory are provided on request under NDA — email [email protected].

2. Encryption

In transit: All public endpoints are served over modern TLS with current cipher suites. HTTP Strict Transport Security (HSTS) is enabled on both rptxsoftware.com and askfolder.com. Traffic to internal services (database, object storage, background workers) is encrypted via provider-enforced TLS.

At rest: Uploaded documents are stored in object storage that encrypts every object with AES-256 by default. The primary database and vector index run on RPTX-managed infrastructure in the EU, on volumes protected by provider-enforced physical controls and access restrictions. Application secrets are injected at deploy time from a dedicated secret store and are never committed to source control.

Per-workspace application-layer encryption. Sensitive payload fields inside the AskFolder vector index are additionally encrypted at the application layer with a key that is unique to each workspace. Each workspace's content is held in its own logically-isolated collection, and when a workspace is deleted its encryption key is destroyed so any residual ciphertext on rotated backups becomes unreadable before the backup is naturally overwritten.

3. Identity & access management

Multi-factor authentication is enforced on every RPTX staff account that can touch customer data, including email, code repositories, domain registrar, and cloud providers.
Access to production systems follows the principle of least privilege. Credentials are rotated on a schedule and immediately upon any suspected exposure.
Google Drive connector — drive.file scope via Google Picker. AskFolder reads only the specific files you explicitly select with the Google Picker dialog. We use the narrowly-scoped https://www.googleapis.com/auth/drive.file permission, which by design gives RPTX access to only those files you picked — we cannot see, list, or index any other file in your Drive. You can revoke that authorisation at any time at myaccount.google.com/permissions; the indexer stops reading immediately.
Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Where the connector uses OAuth, refresh tokens are stored encrypted and are revocable both from AskFolder and from the upstream identity provider at any time.
We do not request permission to write, edit, share, or delete files in your connected sources.

4. Where data is stored & retention

As a factual statement about our infrastructure: the AskFolder relational database and vector search index currently run on dedicated compute in the European Union, and object storage for uploaded documents is region-configurable on request. This is an operational choice, not a compliance guarantee, and is subject to change; the authoritative list of infrastructure providers is maintained on our Subprocessors page, and the authoritative description of our data-handling obligations is in the Terms of Service, Privacy Policy, and Data Processing Agreement. For specific country-level residency commitments, contact [email protected].

Retention policy is summarized as follows, with the exact wording governed by the Terms of Service and Privacy Policy:

Customer documents and indexes are kept for as long as your subscription is active.
On subscription termination, data is retained for 60 days to allow re-activation or export, then permanently deleted from primary systems.
Encrypted backups are purged within a further 90 days on our standard rotation schedule.
Service logs (request traces, error logs) are retained for up to 90 days for security and debugging.
Authentication & administrative audit logs are retained for 13 months and then deleted.

5. Subprocessor management

The current list is at /subprocessors. When we add, change, or remove a subprocessor that processes personal data, we update that page and, for material changes, notify active paying customers by email at least 30 days in advance — giving you the opportunity to object before the change takes effect.

6. Incident response & breach notification

We maintain an internal incident-response runbook. In the event of a confirmed security incident that affects customer data:

Internal acknowledgement and escalation per our on-call runbook, 24/7. Specific internal SLAs are shared with enterprise customers under NDA.
Customer notification within 72 hours of confirming a personal-data breach, as required by GDPR Article 33 / UK GDPR.
Notification content: nature of the incident, categories and approximate volume of records affected, likely consequences, and the mitigating steps taken.
Post-incident report: a written post-mortem with root cause and remediation, available on request.

7. Business continuity & backups

The primary database is backed up to encrypted object storage on a regular schedule, with a rolling 30-day retention window. Backups that contain Personal Data aged out by deletion are fully overwritten within the 90-day maximum window referenced in our DPA and Privacy Policy. Backup restoration procedures are tested regularly.

RPTX designs for graceful degradation: our services depend on mainstream, audited infrastructure providers rather than bespoke platforms, so continuity of customer data does not depend on any single individual being reachable.

8. Application security

Code review: All changes to production code go through peer or self-review with a documented checklist covering authentication, authorization, input validation, and logging of sensitive actions.
Dependency management: Automated dependency alerts are monitored; security patches are applied on a defined severity-based schedule, with critical issues prioritised ahead of routine updates.
Secrets management: API keys and secrets are held in a dedicated secret store and are never committed to source control.
Environment separation: Development, staging, and production environments are strictly separated. No production data is ever copied into non-production environments.
Security review: Every release passes an internal application-layer security review covering authentication, authorisation, input validation, rate limiting, and audit logging. External penetration testing is performed on customer request and on a defined annual cadence as the customer base grows; executive summaries and remediation evidence are shared with qualified customers under NDA.

9. Privacy & data-subject rights

The full policy is at /privacy, and a standard Article 28 Data Processing Agreement is published at /dpa. In summary:

No training on customer data. We do not use your documents to train AI models, and we only send inputs to AI providers under paid or enterprise API terms that prohibit training or service-improvement use of your content. Specific providers and the relied-on contractual controls are listed on our subprocessors page.
Data subject access requests (access, correction, deletion, portability) are handled within one month of a verified request, extendable by a further two months for particularly complex or voluminous requests as permitted by GDPR Article 12(3). Email [email protected].
International transfers are covered by EU Standard Contractual Clauses (2021/914, Modules 2 and 3) as attached to the DPA.
Illegal-content reports (EU DSA Art. 16): email [email protected]. Our single point of contact for authorities and users under DSA Articles 11 & 12 is the same address. Notice requirements are described in Terms §13.

10. Vulnerability disclosure

We welcome responsible disclosure of security issues in any RPTX-operated property.

Scope: rptxsoftware.com and subdomains, askfolder.com and subdomains, and RPTX-authored client libraries or command-line tools.

Out of scope: third-party services listed on the subprocessors page (please report those to the upstream provider), social engineering, denial of service, physical attacks, and automated scanner output without a proof of exploitability.

Process:

Email [email protected] with a clear description and a reproducible proof of concept.
We aim to acknowledge within one business day and to agree a coordinated disclosure timeline.
We fix, deploy, and — with your consent — credit you in the hall of fame below.
Please allow us a reasonable window (typically 90 days) to remediate before public disclosure.

Our machine-readable policy is at /.well-known/security.txt (RFC 9116). RPTX does not currently operate a paid bug bounty, but we are happy to acknowledge and, at our discretion, send a small token of appreciation for high-impact reports.

11. Security hall of fame

Researchers who have responsibly disclosed security issues to RPTX are listed here with their permission. To be credited, see the vulnerability-disclosure process above.

12. Compliance posture

A summary of where we stand on the frameworks customers most commonly ask about. Detailed control mappings, audit artefacts, and evidence packs are shared with qualified customers under NDA — email [email protected].

GDPR / UK GDPR In effect Privacy policy, DPA with SCCs, 72h breach notification, DSAR process.

CCPA / CPRA Rights honoured We honour CCPA / CPRA-equivalent rights (access, deletion, opt-out of "sharing") for all customers, even where our current scale places us below the statutory thresholds.

EU Digital Services Act In effect Art. 11/12 single point of contact and Art. 16 illegal-content notice mechanism implemented in Terms §13.

HIPAA BAA Not offered We do not currently offer a Business Associate Agreement. Do not upload protected health information; see Terms §3.

Independent security review On request Internal application-layer security review on every release; external penetration testing performed on customer request and as an annual cadence as the customer base grows. Executive summaries and remediation evidence shared under NDA.

13. Document library

Data Processing Agreement — standard GDPR Article 28 DPA with SCCs.
Privacy policy — what we collect, why, and how to control it.
Terms of service — the binding commercial contract.
Subprocessors list — every third party that processes customer data.
Release notes — ongoing product and security updates.
security.txt — machine-readable vulnerability-disclosure contact.

For a signed DPA, a completed security questionnaire (CAIQ / SIG-Lite or customer-specific), UBO verification, W-9 / W-8BEN-E, or any other procurement artefact, email [email protected]. We aim to respond within one business day.

14. Contacts

Security: [email protected]
Privacy / Legal: [email protected]
Billing: [email protected]
General: [email protected]
EU DSA — single point of contact (Art. 11/12) & illegal-content notices (Art. 16): [email protected]. Postal address for DSA correspondence: see the footer of any legal page. Communications accepted in English.

← Back to rptxsoftware.com