Security & Trust
How RILLA Shield protects the businesses, accountants, and insurers who rely on us. This page is maintained by RILLA and consolidates the controls procurement teams ask for most often.
Last updated 2026-06-23. RILLA Shield is not affiliated with, endorsed by, or certified by any insurer or government agency. Certifications listed below show their current status honestly.
Posture at a glance
Accuracy report · last 30 days
Building our public accuracy record.
We publish accuracy stats only once we have at least 20 user-verified scans in the last 30 days . Showing a number based on too few cases would be misleading.
Computed from risk_feedback — every time a user marks a scan as a confirmed scam, false alarm, or legitimate. Rolling 30-day window. We'd rather show "we don't have enough data" than a confident wrong number.
Certifications & assurance
SOC 2 Type II
In progressReadiness assessment complete. Type II observation window underway. Letter of engagement available on request.
ISO/IEC 27001
RoadmapGap analysis completed. Targeted certification 2027.
Australian Privacy Principles
AlignedOperating in accordance with the Privacy Act 1988 (Cth) and APPs. Notifiable Data Breaches scheme followed.
Independent penetration test
In progressInternal red-team review complete. Third-party test booked.
Honest framing: "in progress" means what it says. We will never claim a certification we don't hold.
Controls in detail
Encryption everywhere
TLS 1.2+ for all client and server traffic. AES-256 at rest on managed database, object storage, and backups. Secrets stored in an isolated vault, never in source.
Role-based access control
Owner, Admin, Approver, Viewer. Approval chains for high-value payments. Per-action permissions enforced server-side, not just in the UI.
Strong authentication
TOTP MFA available to every account today. SAML SSO (Okta, Microsoft Entra ID, Google Workspace) for Business and Enterprise plans. Session controls for idle timeout and IP allow-listing on Enterprise.
Immutable audit log
Append-only audit of authentication, payee verification, approval decisions, evidence-pack creation, and admin actions. Exportable on request. Cryptographic chain so tampering is detectable.
Network & infrastructure
Cloudflare edge with DDoS protection. No public database. All compute on managed serverless with no SSH access. Production change control with reviewed deployments.
Incident response
Documented runbook. 72-hour customer notification commitment for any incident affecting customer data. Post-incident review published to affected customers.
Backups & recovery
Daily encrypted backups with 7-day point-in-time recovery. Cross-region restore tested quarterly. RTO target 4 hours, RPO target 1 hour.
Secure development
Dependency scanning on every build. Automated security linter on database changes. Pull-request review required before deploy. Secrets never committed.
Compliance pack
Procurement-ready documents. Download the public summary versions below; counter-signable and full SIG / CAIQ versions are available under NDA.
Responsible disclosure
Found something? We work with security researchers in good faith. Email security@rillashield.app with reproduction steps. We acknowledge reports within 2 business days and will not pursue legal action against researchers acting in good faith within the scope below.
- In scope: rillashield.app, *.rillashield.app, RILLA Shield browser extension.
- Out of scope: social engineering, physical attacks, DoS, scanner output without verified impact.
- Please do not access or modify other users' data; use only test accounts.
Talk to security
Procurement, vendor risk, or insurer due diligence? Email security@rillashield.app and we'll get the right document in front of your team — typically within one business day.