Security

A runtime that signs every decision has to get security right first.

Our security posture is reviewed quarterly by customer InfoSec teams at health systems, banks, and defense contractors. What follows is what we tell them, in the same words.

Four pillars

How we keep the blast radius small.

Keys
Root CA Offline cold-storage, two-person control, quarterly rotation
Signing keys RSA-4096 (RSA-4096), rotated every 90 days, AWS CloudHSM (FIPS 140-2 Level 3)
Customer HSM mode On-prem deployments use customer-held Thales or nCipher HSMs
Key ceremony Annual, externally witnessed, video recorded, held in NYC facility
Data
At rest AES-256-GCM with per-tenant data keys
In transit TLS 1.3 only, HSTS preloaded, cert transparency monitored
Tenant isolation Physical tenant separation on Enterprise; logical with per-tenant KEKs on Cloud
Residency Region-pinned; data leaves a region only via signed operation
Access
Employee access Zero standing access to customer data; JIT via PAM, every request recorded
Admin MFA Hardware security keys (FIDO2), phishing-resistant, mandatory
Customer SSO SAML 2.0 and OIDC, SCIM 2.0 provisioning, enforced session policies
Least privilege Quarterly access reviews, attested by engineering manager and CISO
Infrastructure
Hosting AWS us-east-1, us-west-2, eu-central-1, ap-southeast-1 for Cloud
Network Private VPCs, no public egress from processing paths, WAF on control plane
Hardening CIS benchmarks, image signing, runtime policy on all workloads
Backups Encrypted, cross-region, restore tested weekly, WORM retention
Program

Continuous, not annual.

SOC 2 Type II ● In progress · target Jul 2026 Independent auditor Letter of engagement available under NDA
ISO 27001 ● Audit in progress Independent auditor Status shared under NDA
ISO 42001 ● Audit in progress Independent auditor Status shared under NDA
HIPAA ● Aligned · BAA-ready (dedicated) Internal + outside counsel Annual internal review
Pen test (external) ● Quarterly Bishop Fox Letter public; full report under NDA
Red team (internal) ● Continuous Raidu Security Quarterly report
Bug bounty ● Active since 2024 HackerOne private Median payout $4,200
Incident response ● 24/7 on-call PagerDuty-tiered 60-minute initial response SLA
Reporting a vulnerability

We want to hear from you.

Good-faith security research is welcome and encouraged. We commit to acknowledging reports within one business day, triaging within three, and, where appropriate, publishing a public advisory with credit to the reporter.

Email security@raidu.com Preferred; we reply within 1 business day
PGP key 0x7B9A C1D4 E2F8 3A1C Fingerprint on keys.openpgp.org
Bounty HackerOne (private) Invite by request after first valid report
security.txt /.well-known/security.txt Published and machine-readable
Response SLA ≤ 1 business day Triage ≤ 3 business days
Safe harbor Yes, clearly scoped Read the full policy at /security/safe-harbor

InfoSec review? Request the full pack.

SOC 2 Type II, ISO 27001, pen test, SIG-Lite, CAIQ, network diagrams, business continuity plan. Available under NDA in the Trust Center.

Trust Center → Contact security