Skip to main content
R.I.C.H.O.
A RICHO SYSTEMS PLATFORM

Security and Trust — R.I.C.H.O.

Security & Trust

Securitybydesign.Onlyverifiedstatements.

R.I.C.H.O. security documentation uses only accurate, verifiable language. We do not claim certifications we do not hold, compliance we have not verified, or audits that have not occurred. Where controls are planned or in development, they are labelled as such.

Security Principles

Six security principles.

Security is architectural in R.I.C.H.O. — not a layer applied after the fact. These principles guide every design decision.

Security by design

Security controls are architectural — not applied after the fact. Every component is designed with explicit security boundaries.

Least-privilege access

Every identity, role, and integration operates with the minimum permissions required. No implicit elevation.

Continuous observability

All system events, access attempts, and state transitions are logged, monitored, and available for audit.

Explicit failure modes

Failure modes are documented and tested. The system fails safely — not silently.

Environment separation

Development, staging, and production environments are strictly separated with independent access controls.

Continuity and resilience

Backup, recovery, and continuity procedures are documented, tested, and available for review.

Trust Architecture

Ten trust layers.

The R.I.C.H.O. trust model is structured across ten layers — from identity verification to continuity and resilience.

01

Identity

MFA-enforced identity verification. All access is attributed to a verified identity.

02

Access Control

Role-based, context-aware access control with explicit permission grants and audit logging.

03

Decision Rights

Authority boundaries encoded structurally. No permission escalation without explicit human approval.

04

Data Handling

Data classification, handling requirements, and retention policies applied at ingestion.

05

Evidence Custody

Tamper-evident evidence records with chain-of-custody documentation for all governed workflows.

06

Auditability

Complete, attributed audit trails for all system events, decisions, and state transitions.

07

Test Assurance

Acceptance criteria and test requirements for all governed outputs before human review.

08

Human Review

Mandatory human review gates for all consequential decisions and external actions.

09

External-Action Gating

No external action without explicit human authorisation. The system stages; humans act.

10

Continuity and Resilience

Documented backup, recovery, and continuity procedures with tested restoration capability.

Security Controls

Controls and current status.

Each control is listed with its current implementation status. We use accurate language — not marketing language.

Implemented
Available
Planned
Not yet completed / certified

HTTPS everywhere

All communications encrypted in transit. HSTS enforced.

Implemented

Secure headers

Content Security Policy, X-Frame-Options, and other security headers configured.

Implemented

Rate limiting

API and form rate limiting to prevent abuse and denial-of-service.

Implemented

Input validation

Server-side input validation and output encoding for all user-supplied data.

Implemented

CSRF protection

Cross-site request forgery protection on all state-changing operations.

Implemented

MFA

Multi-factor authentication required for all privileged access.

Implemented

Dependency scanning

Automated dependency vulnerability scanning in the development pipeline.

Implemented

Secret management

Secrets managed via dedicated secret management — not exposed in code or configuration.

Implemented

Encryption at rest

All stored data encrypted at rest using current-generation encryption standards.

Implemented

Logging and monitoring

Comprehensive security logging with alerting for anomalous events.

Implemented

Vulnerability reporting

Responsible disclosure contact available. See security contact below.

Available

Independent security review

Independent security review has not yet been completed. Planned for future evaluation phases.

Not yet completed

SOC 2 / ISO 27001

Certification has not yet been completed. Not claimed until independently verified.

Not yet certified

Penetration testing

External penetration testing planned. Results will be available to qualified evaluators under NDA.

Planned

Interactive Tool

Security Posture Checker

Check which security controls your organisation currently has in place and see your posture score.

Security Posture Checker

Check each control your organisation currently has in place. This is a self-assessment — not a formal audit.

LIVE SCORE
HIGH RISKSTRONG
Access Control
Observability
Architecture
Environment
Continuity
Governance

Responsible Use

What R.I.C.H.O. will not do.

These constraints are structural — not advisory. They are encoded into the system's authority model and cannot be overridden by instruction.

R.I.C.H.O. will not independently make legally binding commitments.

R.I.C.H.O. will not independently spend money.

R.I.C.H.O. will not sign agreements.

R.I.C.H.O. will not publish externally without approval.

R.I.C.H.O. will not contact buyers or authorities without approval.

R.I.C.H.O. will not accept legal, financial, security, or deployment risk on behalf of an organisation.

R.I.C.H.O. will not fabricate evidence or claim verification that has not occurred.

Security questions for your evaluation.

Request a structured evaluation to review R.I.C.H.O. security architecture, controls, and governance against your organisation's requirements.

Security documentation is available under controlled access for qualified evaluators.