Security · Trust overview

Trust & security.

Effective date: 1 April 2026 Last updated: 1 April 2026 Version: 1.0

This page answers the questions procurement, security, and compliance teams typically ask before they onboard a new vendor. If we've missed something, email [email protected] and we will answer within one business day — and add the question here for the next reader.

Breach notification ≤ 72h GDPR Article 33 aligned

Incident response < 24h first acknowledgement

Vuln disclosure 1 BD first response

Data export 60d post-termination

1. Hosting & architecture

The rptxsoftware.com marketing site is served as a static site from Cloudflare's global edge network. AskFolder is a modern web application: a TypeScript / Next.js front-end on Cloudflare, a stateless API tier on serverless infrastructure, and a primary PostgreSQL database (with pgvector for semantic embeddings) managed by Neon, Inc.

The authoritative list of every third-party system that processes customer data is published at /subprocessors and updated whenever it changes.

2. Encryption

In transit: All public endpoints are served over TLS 1.2+ with modern cipher suites. HTTP Strict Transport Security (HSTS) is enabled on both rptxsoftware.com and askfolder.com. Traffic to internal services (database, object storage, background workers) is encrypted via provider-enforced TLS.

At rest: Customer data, including indexed document chunks and vector embeddings, is stored in encrypted PostgreSQL (AES-256 provider-managed encryption via Neon). Object storage for raw documents is encrypted at rest by the underlying provider. Application secrets are held in a provider-managed secret store and never written to the repository.

3. Identity & access management

Multi-factor authentication is enforced on every RPTX staff account that can touch customer data, including email, code repositories, domain registrar, and cloud providers.
Access to production systems follows the principle of least privilege. Credentials are rotated on a schedule and immediately upon any suspected exposure.
Customer authentication on AskFolder uses OAuth 2.0 / OpenID Connect for connected sources (Google Drive, OneDrive, SharePoint). We request the narrowest scopes required to index the folders you explicitly connect.
OAuth refresh tokens are stored encrypted and are revocable by the customer at any time, both from AskFolder and from the upstream identity provider.

4. Data residency & retention

Primary production data is currently stored in the United States. For customers with strict EU or UK data residency requirements, contact [email protected] — region-pinned deployments are on the near-term roadmap and we will tell you honestly when they're ready.

Retention policy is summarized as follows, with the exact wording governed by the Terms of Service and Privacy Policy:

Customer documents and indexes are kept for as long as your subscription is active.
On subscription termination, data is retained for 60 days to allow re-activation or export, then permanently deleted from primary systems.
Encrypted backups are purged within a further 90 days on our standard rotation schedule.
Operational logs (authentication events, administrative actions) are retained for 13 months and then deleted.

5. Subprocessor management

The current list is at /subprocessors. When we add, change, or remove a subprocessor that processes personal data, we update that page and, for material changes, notify active paying customers by email at least 30 days in advance — giving you the opportunity to object before the change takes effect.

6. Incident response & breach notification

We maintain an internal incident-response runbook. In the event of a confirmed security incident that affects customer data:

Internal acknowledgement within a few hours of detection, 24/7.
Customer notification within 72 hours of confirming a personal-data breach, as required by GDPR Article 33 / UK GDPR.
Notification content: nature of the incident, categories and approximate volume of records affected, likely consequences, and the mitigating steps taken.
Post-incident report: a written post-mortem with root cause and remediation, available on request.

7. Business continuity & backups

Primary databases are backed up continuously by our managed PostgreSQL provider, with point-in-time recovery available within the last 7 days and daily snapshots retained for 30 days. Backup restoration procedures are tested regularly.

Because RPTX is a small studio, we design for graceful degradation: our services depend on mainstream, audited providers (Cloudflare, Neon, Paddle) rather than bespoke infrastructure, so continuity of customer data does not depend on any single RPTX employee being reachable.

8. Application security

Code review: All changes to production code go through peer or self-review with a documented checklist covering authentication, authorization, input validation, and logging of sensitive actions.
Dependency management: Automated dependency alerts are monitored; security patches in the top tier of severity are applied within 7 days, critical within 24–48 hours where a safe upgrade exists.
Secrets management: No API keys or secrets are stored in the repository. A pre-commit secret-detection step runs on every change.
Environment separation: Development, staging, and production environments are strictly separated. No production data is ever copied into non-production environments.
Penetration testing: Annual third-party penetration test is planned; the first engagement is scheduled once AskFolder has been in production long enough to produce a meaningful attack surface (target late 2026). Summary results will be available under NDA.

9. Privacy & data-subject rights

The full policy is at /privacy, and a standard Article 28 Data Processing Agreement is published at /dpa. In summary:

No training on customer data. We do not use your documents to train AI models, and we contract with our AI providers specifically to ensure they do not either. This is in the Terms of Service, not just marketing.
Data subject access requests (access, correction, deletion, portability) are handled within 30 days or the shorter period required by applicable law. Email [email protected].
International transfers are covered by EU Standard Contractual Clauses (2021/914, Modules 2 and 3) as attached to the DPA.

10. Vulnerability disclosure

We welcome responsible disclosure of security issues in any RPTX-operated property.

Scope: rptxsoftware.com and subdomains, askfolder.com and subdomains, and RPTX-authored client libraries or command-line tools.

Out of scope: third-party services listed on the subprocessors page (please report those to the upstream provider), social engineering, denial of service, physical attacks, and automated scanner output without a proof of exploitability.

Process:

Email [email protected] with a clear description and a reproducible proof of concept.
We acknowledge within one business day and agree a coordinated disclosure timeline.
We fix, deploy, and — with your consent — credit you in the hall of fame below.
Please allow us a reasonable window (typically 90 days) to remediate before public disclosure.

Our machine-readable policy is at /.well-known/security.txt (RFC 9116). RPTX does not currently operate a paid bug bounty, but we are happy to acknowledge and, at our discretion, send a small token of appreciation for high-impact reports.

11. Security hall of fame

Researchers who have responsibly disclosed security issues to RPTX will be listed here with their permission. The list is currently empty — if you want to be the first, see the section above.

12. Compliance roadmap

RPTX is a newly-launched studio and we believe honesty about current compliance posture is worth more than a badge we haven't earned yet. Here is where we actually stand:

GDPR / UK GDPR In effect Privacy policy, DPA with SCCs, 72h breach notification, DSAR process.

CCPA / CPRA In effect Covered via the Privacy policy; "Do Not Sell" and deletion rights honoured.

SOC 2 Type II Targeted 2027 Controls mapped to SOC 2 CC categories today; formal audit planned once 12 months of evidence is available.

ISO / IEC 27001 Under review Will be evaluated in parallel with SOC 2 based on customer demand.

HIPAA BAA Not offered We do not currently offer a Business Associate Agreement; please do not upload PHI.

Penetration test Q4 2026 First third-party test scheduled once the product has a meaningful attack surface. Summary available under NDA.

13. Document library

Data Processing Agreement — standard GDPR Article 28 DPA with SCCs.
Privacy policy — what we collect, why, and how to control it.
Terms of service — the binding commercial contract.
Subprocessors list — every third party that processes customer data.
Release notes — ongoing product and security updates.
security.txt — machine-readable vulnerability-disclosure contact.

For a signed DPA, SOC 2 readiness questionnaire responses, UBO verification, W-9 / W-8BEN-E, or any security questionnaire, email [email protected]. We respond within one business day.

14. Contacts

Security: [email protected]
Privacy / Legal: [email protected]
Billing: [email protected]
General: [email protected]

← Back to rptxsoftware.com