See how RiskInMind's AI improves risk decisions — book a live demo.
HomeAboutBlogContact Us

Sign InSign Up

RiskInMind™ - Security Policy

Effective Date: January 21, 2026

Last Updated: January 21, 2026

At RiskInMind™, we are committed to protecting the confidentiality, integrity, and availability of our clients data, including nonpublic personal information (NPI) handled on behalf of financial institutions such as credit unions. This Security Policy outlines our comprehensive approach to information security, aligning with industry standards and regulatory requirements. It complements our SOC 2® Report (available upon request under NDA for qualified clients) and our Privacy Policy, which details data collection, use, and protection practices.

This policy applies to all RiskInMind.ai services, including our AI-powered agents for loan assessment, regulatory compliance, and document generation. We design our controls to support clients in meeting obligations under the Gramm-Leach-Bliley Act (GLBA), Federal Trade Commission (FTC) Safeguards Rule, and National Credit Union Administration (NCUA) regulations, including Part 748 and Appendices A and B.

1. Commitment to Regulatory Compliance

RiskInMind™ adheres to key regulatory frameworks to ensure secure handling of sensitive financial data:

  • GLBA and FTC Safeguards Rule: We implement administrative, technical, and physical safeguards to protect customer NPI from unauthorized access, use, or disclosure.
  • NCUA Part 748 (Including Appendices A and B): Our controls support credit unions in safeguarding member information and developing response programs for unauthorized access. We align with guidelines for service provider arrangements, ensuring prompt incident notifications and cooperation in response efforts.
  • Other Standards: Compliance with NIST Cybersecurity Framework (CSF), FFIEC IT Examination Handbook, and relevant state data protection laws.
  • Attestation: We maintain SOC 2® Type 2 attestation (covering Security, Availability, Processing Integrity, Confidentiality, and Privacy trust services criteria), audited annually by an independent AICPA-certified firm. See SOC 2® Reference for details. We also pursue ISO 27001 certification.

For more on data privacy specifics, refer to our Privacy Policy, which includes commitments under CCPA/CPRA, GDPR (for applicable clients), and GLBA privacy rules.

2. Detailed Security Controls and Safeguards

Our security program is risk-based and includes the following safeguards, aligned with NCUA Appendix A (Guidelines for Safeguarding Member Information):

Administrative Safeguards

  • Risk Assessment: Annual risk assessments identify threats to data confidentiality, integrity, and availability. We use tools like vulnerability scanning and third-party penetration testing.
  • Policies and Procedures: Documented policies for data classification, acceptable use, and change management.
  • Employee Training: All personnel receive annual security awareness training, including phishing simulations and handling of NPI. Background checks are conducted for roles with data access.
  • Vendor Management: Sub-processors are vetted for security compliance, with contracts requiring equivalent safeguards and audit rights.

Technical Safeguards

  • Access Controls: RiskInMind uses a role-based access control system so employees and contractors receive only the minimum permissions they need, with access clearly separated into admin, user, and no-access roles and reviewed at least annually. Access is granted based on role after background checks and required security training, and all access is removed within one business day when an employee leaves, ensuring timely and consistent deprovisioning. Sessions time out after inactivity.
  • Encryption: RiskinMind has set up processes to utilize standard encryption methods, including HTTPS with the TLS algorithm, to keep transmitted data confidential. Riskinmind has a documented policy to manage encryption and cryptographic protection controls. Riskinmind uses encryption technologies to protect customer data both at rest and in transit.
  • Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), and web application firewalls (WAF). AI-driven monitoring detects anomalies in real-time. The enabled services provide continuous network security monitoring for web applications, cloud resources, virtual machines, and containers, helping detect vulnerabilities and configuration issues early. They also offer event and threat detection plus vulnerability assessments, giving broad coverage across the environment to quickly identify and respond to potential risks.
  • Vulnerability Management: Regular scanning is enabled using Google Security Command Center (SCC); The enabled services provide continuous vulnerability management across web applications, cloud resources, virtual machines, and containers, helping uncover misconfigurations and security weaknesses before they are exploited. They also deliver ongoing threat and event detection plus targeted vulnerability assessments, enabling faster identification, prioritization, and remediation of risks across the environment.
  • Logging and Monitoring: Google Cloud Operations Suite provides a unified ecosystem that combines Cloud Logging for audit-ready event tracking with Cloud Monitoring for real-time performance metrics and global uptime checks. It leverages automated Alerting to immediately notify your team of security threats or system failures, while offering Specialized Observability tools like Cloud Trace to optimize the performance of your AI models..

Physical Safeguards

  • Data Centers: RiskInMind™ is hosted in SOC 2®-aligned Google Cloud data centers, which feature 24/7 surveillance, biometric access controls, and advanced environmental protections. By using Google's 'shared responsibility model,' we provide bank-grade security by inheriting the world-class physical safeguards of their global infrastructure
  • Device Security: Personal devices with screen saver password enabled in 15 minutes or less, fleet desktop managed via trycompai along with Windows BitLocker using Windows 11 pro.

These controls are tested annually via internal audits and external assessments, as detailed in our SOC 2® Report.

3. Incident Response and Breach Notification

We maintain a documented Incident Response Plan (IRP) to address security incidents efficiently, supporting NCUA Appendix B (Guidance on Response Programs for Unauthorized Access to Member Information).

  • Incident Definition: A “security incident” includes any unauthorized access, use, disclosure, alteration, or destruction of client data, including member NPI.
  • Detection and Response: 24/7 monitoring with AI alerts. Incidents are triaged by severity.
  • Client Notification: We notify affected clients (e.g., credit unions) as soon as possible, typically within 24-48 hours of confirmation, but no later than 72 hours for reportable cyber incidents aligning with NCUA Part 748 requirements. Notifications include incident details, affected data, and remediation steps.
  • Cooperation: We assist clients in containment, forensics (via third-party experts if needed), and recovery. This enables clients to activate their own response programs, assess harm, and handle member notifications as required under Appendix B.
  • Post-Incident: Root cause analysis, lessons learned, and updates to controls. We report to regulators if required (e.g., under GLBA or state laws).

For privacy-related incidents, see our Privacy Policy section on Data Breach Response.

4. Data Privacy and Handling Practices

Aligned with our Privacy Policy, we handle data as follows:

  • Collection and Use: Data is processed only for agreed purposes (e.g., loan underwriting via our AI agents). No selling or sharing of NPI without consent.
  • Storage and Retention: Data is stored securely and retained only as long as necessary (e.g., per client contract or regulatory requirements), with secure deletion afterward.
  • Sub-Processors: A list of sub-processors is available in our Data Processing Addendum (DPA), accessible via client agreements. All sub-processors meet equivalent security standards.
  • Data Subject Rights: Support for access, correction, deletion, and opt-out requests, as detailed in the Privacy Policy.

5. Third-Party / Customer-Specific Assurances

For clients like credit unions outsourcing functions (e.g., loan assessment):

  • Audit Rights: Clients may request audits or reviews of our controls, subject to reasonable notice and NDA.
  • Indemnification: Contracts include provisions for liability in case of breaches due to our negligence.
  • Business Continuity: Redundant systems ensure 99.9% uptime; disaster recovery tested biannually.
  • Contractual Commitments: Our standard agreements (or DPAs) mandate alignment with GLBA/NCUA, prompt incident notifications, and cooperation in responses.

6. Vulnerability Disclosure Program

We encourage responsible disclosure of vulnerabilities in our web and mobile applications.

  • Scope: Applies to current versions of RiskInMind.ai web app and mobile apps.
  • Reporting: Submit details to hello@riskinmind.ai, including steps to reproduce, impact, and proof-of-concept.
  • Our Response: Acknowledgment within 48 hours; prioritization by severity (CVSS scoring); coordinated disclosure after mitigation.
  • Guidelines: Report in good faith; avoid DoS attacks, data access, or public disclosure before resolution.

SOC 2® Reference

Our SOC 2® Type 2 Report, issued by SECURANCE PRO, validates the operating effectiveness of our controls over a 12-month period. Key findings include no material weaknesses in security or privacy criteria. Clients can request a copy under NDA for due diligence purposes. The report aligns with AICPA Trust Services Criteria and supports GLBA compliance demonstrations.

For questions or to request documents, contact hello@riskinmind.ai.

This policy is reviewed annually or upon significant changes. By using our services, you acknowledge this policy