AboutEnterpriseBlog

Contact Us
Sign InSign Up

RiskInMind™ - Security Policy

Effective Date: 01/21/2026

Last Updated: 04/23/2026

At RiskInMind™, we are committed to protecting the confidentiality, integrity, and availability of our clients' data, including nonpublic personal information (NPI) handled on behalf of financial institutions such as credit unions. This Security Policy outlines our comprehensive approach to information security, aligning with industry standards and regulatory requirements. It complements our SOC 2 Report (available upon request under NDA for qualified clients) and our Privacy Policy, which details data collection, use, and protection practices.

This policy applies to all RiskInMind.ai services, including our AI-powered agents for loan assessment, regulatory compliance, and document generation. We design our controls to support clients in meeting obligations under the Gramm-Leach-Bliley Act (GLBA), Federal Trade Commission (FTC) Safeguards Rule, and National Credit Union Administration (NCUA) regulations, including Part 748 and Appendices A and B.

1. Commitment to Regulatory Compliance

RiskInMind™ adheres to key regulatory frameworks to ensure secure handling of sensitive financial data:

  • GLBA and FTC Safeguards Rule: We implement administrative, technical, and physical safeguards to protect customer NPI from unauthorized access, use, or disclosure.
  • NCUA Part 748 (Including Appendices A and B): Our controls support credit unions in safeguarding member information and developing response programs for unauthorized access. We align with guidelines for service provider arrangements, ensuring prompt incident notifications and cooperation in response efforts.
  • Other Standards: Compliance with NIST Cybersecurity Framework (CSF), FFIEC IT Examination Handbook, and relevant state data protection laws.
  • Certifications: We maintain SOC 2 Type 2 attestation (covering Security, Availability, Processing Integrity, Confidentiality, and Privacy trust services criteria), audited annually by an independent AICPA-certified firm. See SOC 2 Reference for details. We also pursue ISO 27001 certification.

For more on data privacy specifics, refer to our Privacy Policy, which includes commitments under CCPA/CPRA, GDPR (for applicable clients), and GLBA privacy rules.

2. Detailed Security Controls and Safeguards

Our security program is risk-based and includes the following safeguards, aligned with NCUA Appendix A (Guidelines for Safeguarding Member Information):

Administrative Safeguards

Risk Assessment: Annual risk assessments identify threats to data confidentiality, integrity, and availability. We use tools like vulnerability scanning and third-party penetration testing.
Policies and Procedures: Documented policies for data classification, acceptable use, and change management.
Data Classification:RiskInMind classifies all data into four categories to ensure appropriate handling, protection, and disposal: (1) Public; (2) Internal; (3) Confidential; (4) Restricted — the highest classification, reserved for regulated data subject to legal, regulatory, or contractual obligations including member NPI under GLBA and NCUA requirements.
Employee Training: All personnel receive annual security awareness training, including phishing simulations and handling of NPI. Background checks are conducted for roles with data access.
Vendor Management: Sub-processors are vetted for security compliance, with contracts requiring equivalent safeguards and audit rights.
Vendor Risk Assessment:Formal vendor risk assessment process for all third-party service providers. High-risk vendors are subject to enhanced due diligence, including review of current SOC 2 reports. Vendor risk ratings are reviewed at least annually.

Technical Safeguards

Access Controls: Role-based access control (RBAC) ensuring minimum permissions needed. Access is reviewed at least annually and removed within one business day of termination. Sessions time out after inactivity.
Authentication and Multi-Factor Authentication (MFA):RiskInMind enforces MFA for all user accounts. Password requirements align with NIST SP 800-63B guidelines (minimum 12 characters). Breach credential monitoring is implemented to identify compromised credentials.
Access Reviews and Service Account Management:Formal access reviews on a quarterly basis. Service accounts managed with documented ownership and defined expiry dates. Privileged access requires documented management approval.
Encryption: Standard encryption methods, including HTTPS with TLS. Data encrypted at rest and in transit.
Cryptographic Key Management:Procedures for management of cryptographic keys. Keys generated using industry-standard algorithms, stored securely, and rotated at least annually. Secure decommissioning of retired keys.
Network Security: Firewalls, IDS/IPS, and WAF. Continuous security monitoring for web apps, cloud resources, and containers.
Vulnerability Management: Regular scanning via Google Security Command Center (SCC) for misconfigurations and weaknesses before exploitation.
Logging and Monitoring: Google Cloud Operations Suite combining Cloud Logging and Cloud Monitoring for real-time tracking and automated alerting.
Audit Log Retention and Event Categories:Logs retained for minimum 90 days. Captures authentication, privileged activity, config changes, data access, and administrative actions. Logs protected against unauthorized modification.

Physical Safeguards

Data Centers: Hosted in SOC 2-compliant Google Cloud data centers featuring 24/7 surveillance and biometric controls. Inheriting world-class physical safeguards of global infrastructure.
Device Security: Screen saver password enabled in 15 minutes or less; fleet managed via TryCompa along with Windows BitLocker.

These controls are tested annually via internal audits and external assessments, as detailed in our SOC 2 Report.

3. Incident Response and Breach Notification

We maintain a documented Incident Response Plan (IRP) to address security incidents efficiently, supporting NCUA Appendix B (Guidance on Response Programs for Unauthorized Access to Member Information).

  • Incident Definition: A 'security incident' includes any unauthorized access, use, disclosure, alteration, or destruction of client data, including member NPI.
  • Detection and Response: 24/7 monitoring with AI alerts. Incidents are triaged by severity.
  • Client Notification: We notify affected clients as soon as possible, typically within 24-48 hours of confirmation, but no later than 72 hours for reportable cyber incidents aligning with NCUA Part 748 requirements.
  • Cooperation: We assist clients in containment, forensics, and recovery. This enables clients to activate their own response programs as required under Appendix B.
  • Post-Incident Review and Continuous Improvement:Formal post-incident review to identify root causes and implement improvements. Annual tabletop exercises to test effectiveness of the IRP. Documentation retained for minimum three years.

For privacy-related incidents, see our Privacy Policy section on Data Breach Response.

4. Data Privacy and Handling Practices

Aligned with our Privacy Policy, we handle data as follows:

  • Collection and Use: Data is processed only for agreed purposes (e.g., loan underwriting). No selling or sharing of NPI without consent.
  • Storage and Retention: Data is stored securely and retained only as long as necessary, with secure deletion afterward.
  • Sub-Processors: A list of sub-processors is available in our Data Processing Addendum (DPA), accessible via client agreements.
  • Data Subject Rights: Support for access, correction, deletion, and opt-out requests, as detailed in the Privacy Policy.

5. Third-Party / Customer-Specific Assurances

For clients like credit unions outsourcing functions:

  • Audit Rights: Clients may request audits or reviews of our controls, subject to reasonable notice and NDA.
  • Indemnification: Contracts include provisions for liability in case of breaches due to our negligence.
  • Business Continuity and Disaster Recovery (BCP/DR):Documented BCP/DR plan ensuring service availability. Redundant systems ensure 99.9% uptime. Backup procedures verified regularly; recovery tested biannually through simulated exercises.
  • Contractual Commitments: Our standard agreements mandate alignment with GLBA/NCUA and prompt incident notifications.

6. Vulnerability Disclosure Program

We encourage responsible disclosure of vulnerabilities in our web and mobile applications. Submit details to hello@riskinmind.ai. We acknowledge reports within 48 hours and prioritize by severity using CVSS scoring.

SOC 2 Reference

Our SOC 2 Type 2 Report, issued by SECURANCE PRO, validates the operating effectiveness of our controls over a 12-month period. Key findings include no material weaknesses in security or privacy criteria.

Privacy Controls and Future Audit Scope:RiskInMind is evaluating the inclusion of Privacy (P Series) Trust Services Criteria in a future SOC 2 audit cycle. Privacy obligations are currently addressed in our Privacy Policy and maintained in accordance with GDPR, CCPA/CPRA, and GLBA.

For questions or to request documents, contact hello@riskinmind.ai.

This policy is reviewed annually or upon significant changes. By using our services, you acknowledge this policy.