We get audited too.
You authorize us to attack your systems — that earns us a higher trust bar than any other vendor in your stack. Here's our security posture, our guardrails, and how to report an issue in Rift itself.
Independently verified
SOC 2 Type II
Audited controls across security, availability, and confidentiality. Full report available under NDA.
ISO 27001
Information security management system aligned to the standard; scope shared on request.
We get pentested
An external firm tests Rift on a recurring basis — and we run Rift against Rift, too. We don't ask you to trust anything we haven't proven on ourselves.
How we keep autonomous safe
The same guardrails that protect your production are documented here in full — the technical detail a security reviewer needs.
- ✓Scope-locking: agents physically cannot act outside authorized assets
- ✓Safe-by-default exploitation: proof without destruction
- ✓Production-aware throttling and quiet hours
- ✓Full, replayable action log for every engagement
Subprocessors & policies
Subprocessor list
Current third parties that process customer data, with purpose — updated as it changes.
Data Processing Addendum
Standard DPA available for signature during onboarding.
Privacy policy
How we handle personal data across the site and platform.
Security questionnaire
Pre-filled CAIQ / SIG to speed your vendor review.
Found a bug in Rift?
We run a coordinated vulnerability disclosure program with safe-harbor for good-faith research. If you've found an issue in Rift itself, we want to hear from you — and we'll credit you.
Need our security package?
We'll share our SOC 2 report, pen-test summary, and a completed security questionnaire under NDA.