Security

1. Infrastructure and Hosting

The Rimo platform is hosted on enterprise-grade cloud infrastructure with built-in redundancy and high availability. Our infrastructure providers maintain a comprehensive set of compliance certifications, including SOC 2 Type II and ISO 27001. We operate in multiple availability zones to minimise downtime and ensure business continuity.

All production systems are isolated in private network segments with strictly controlled inbound and outbound traffic rules. Access to production environments is limited to authorised personnel and requires multi-factor authentication.

2. Data Encryption

• In transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and apply HTTP Strict Transport Security (HSTS).
• At rest: sensitive data, including User Content, account information, and credentials, is encrypted at rest using AES-256.
• Secrets management: cryptographic keys and application secrets are managed through a dedicated secrets management service and are never stored in source code or unencrypted configuration files.

3. Access Controls

We follow the principle of least privilege. Internal access to customer data is granted only where strictly necessary and is subject to regular access reviews. All privileged actions in production systems are logged and audited.

Employee accounts are protected by strong password policies and mandatory multi-factor authentication. Access credentials are provisioned and deprovisioned promptly as team members join or leave the organisation.

4. Application Security

• Secure development: our engineering team follows secure coding standards and conducts peer code review for all changes before they reach production.
• Dependency management: we continuously monitor third-party dependencies for known vulnerabilities and apply security patches promptly.
• Static analysis: automated security scanning tools are integrated into our CI/CD pipeline to detect common vulnerability patterns (OWASP Top 10, CVEs) before deployment.
• Penetration testing: we engage independent third-party security firms to conduct regular penetration tests of our platform.

5. Data Isolation and Multi-Tenancy

Each customer's data is logically isolated from other customers' data. We enforce strict tenant-level access controls so that no user or process can access data belonging to another organisation. User Content — including uploaded product screens, briefs, and generated videos — is accessible only to authorised users within your account.

6. Monitoring and Incident Response

Our systems are monitored around the clock for anomalous behaviour, suspicious activity, and potential security events. Alerts are routed to our on-call engineering team for immediate investigation.

In the event of a confirmed security incident, we follow a documented incident response plan that includes containment, eradication, and recovery phases. Where a breach involves personal data and notification is required by law, we will notify affected customers and the relevant regulatory authority within the timeframe required by applicable law.

7. Third-Party Subprocessors

We work with a limited set of carefully vetted third-party subprocessors (e.g., cloud infrastructure providers, payment processors, and analytics vendors). Each subprocessor is evaluated for security posture and contractually obligated to maintain appropriate safeguards. Our current subprocessor list is available on request.

8. Business Continuity and Disaster Recovery

We maintain automated daily backups of critical data, stored in geographically separate locations. Backups are encrypted and tested periodically to verify recoverability. Our disaster recovery procedures are designed to restore service within defined recovery time and point objectives.

9. Responsible Disclosure

We welcome reports from security researchers and members of the public who discover potential vulnerabilities in our systems. If you believe you have found a security issue, please report it to us responsibly:

• Email us at support@rimodreamlabs.ai with a clear description of the vulnerability, steps to reproduce it, and its potential impact.
• Allow us a reasonable period of time (typically 90 days) to investigate and remediate before public disclosure.
• Do not access, modify, or delete data belonging to other users, or take any action that could degrade the availability of the Service.

We are committed to acknowledging valid reports promptly, keeping you informed of our progress, and recognising your contribution once the issue has been resolved.

10. Contact Us

For security enquiries, vulnerability reports, or any security-related questions, please contact us at:

Rimo Dream Labs
Email: support@rimodreamlabs.ai