​

Security

Last updated: Nov 17, 2025

​

Executive Summary

Security and compliance are top priorities at Responsibly. We are committed to securing your application’s data, eliminating system vulnerabilities, and ensuring continuous access. Responsibly is a multi‑tenant SaaS platform that converts raw supplier data into actionable risk intelligence. The architecture cleanly separates edge/API and data‑processing planes:

• Web UI and all API endpoints run as serverless functions on Vercel’s Edge Network (EU project region). Traffic is protected by the Web Application Firewall Vercel Firewall, providing always‑on DDoS mitigation and . Vercel holds SOC 2 Type II and ISO 27001 certifications.
• Background enrichment jobs and data stores reside in Amazon Web Services (AWS) EU regions. AWS infrastructure is certified to ISO 27001/17/18 and SOC 2.
• Auth0 supplies authentication and authorisation, enforcing MFA‑ready OIDC flows. Autho0 is certified to ISO 27001 and SOC 2 standards.

Every data path is encrypted (TLS 1.2+ in transit, AES‑256 at rest). Data is backed up daily with point‑in‑time restore to 24 hours, and each customer’s data is logically segregated by organisation ID. During 2025 we are rolling out a formal Information Security Management System (ISMS) aligned to ISO 27001 controls. While external certification is not currently planned, the ISMS will be fully operational—supported by documented policies, risk registers, internal audits, and management reviews—by 31 December 2025.

​

Company & Solution Overview

• Platform workflow – Ingest → Enrich → Score → Surface (UI/API).
• Core Components – Vercel Edge Network & CDN (frontend/UI), AWS S3, RDS (PostgreSQL), DynamoDB, Lambda, Fargate (API & data processing), Auth0 (IAM).
• Shared‑Responsibility Model – Vercel (edge delivery & web‑application firewall), AWS (IaaS/PaaS security for API & data), Responsibly (application logic & data within tenancy), Client (user access, data accuracy).

​

Hosting Architecture

Cloud Service Providers

• Vercel (Edge/UI) – Global edge network with EU project region selected; provides automatic TLS, Web Application Firewall, and DDoS mitigation. Vercel is SOC 2 Type II and ISO 27001 certified – see section 13.
• AWS (API & Data) – Workloads run in EU‑West‑1 availability zones; AWS holds ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI‑DSS, and more – see section 13.

Logical Architecture

• Browser → Vercel Edge CDN & WAF → AWS Application Load Balancer (TLS) → micro‑services (Fargate) inside private subnets.
• Data layer: RDS (PostgreSQL) for relational data, DynamoDB for key/value, S3 for object storage.
• VPC endpoints restrict traffic between services; ALB terminates TLS for API traffic coming from Vercel.

Tenancy Model

• Multi‑tenant design; every customer is assigned an organisation ID enforced at the application layer.

​

Data Residency

• Client‑generated data and backups remain within AWS EU regions.

​

Governance, Risk & Compliance

Frameworks adopted – ISO 27001 (control framework only; certification planned), NIST CSF (key recommendations adopted fitting our size), GDPR. ISMS Implementation Roadmap

• We are in process of implementing an ISMS (Information Security Management System) with certification planned with the deadline 31st of December, specifically ISO 27001.

External Certification Plans

• Key infrastructure suppliers are certified by ISO 27001, SOC 2 and more (see section 13). At present Responsibly does not pursue SOC 2 certification. Certification may be evaluated in the future if required by specific customer contracts.

Policy Suite Status

• Drafts in review: Information Security Policy, Access Control Policy, Secure Development Policy.
• Pending: Data Classification & Handling Standard, Incident Response Plan. ’

We are a small team where the CTO and CEO directly have access and monitor incidents reported with special attention on severe issues and SLA deadlines. We manage all issues in Linear with daily stand-ups and weekly sprints. Any escalation needed is discussed here. Our customer success team is responsible for monitoring issues reported under SLA and ensuring our response structure and timelines are adhered to. For issues not falling under SLA, they fall under the responsibility of our Chief Product Officer to manage. Risk Management Process

• Bi-annual risk workshops establish, assess, and treat risks; residual risk and KPI dashboard reported to the executive team.

​

Data Security

Encryption in Transit

• All public endpoints enforce TLS 1.2+ with FS cipher suites (AES-GCM).
• Mutual TLS optional for API-to-API integration.
• End-to-end SSL/TLS also secures service-to-service traffic inside the AWS VPC, protecting data from lateral-movement attacks.

Key Management

• Keys generated and stored in AWS Key Management Service.
• Automatic rotation every 365 days.
• IAM separation: Security Team manages CMKs; platform services assume least-privilege roles.

Secrets Handling

• Database credentials & signing secrets stored in AWS Secrets Manager, encrypted at rest and rotated quarterly.

​

Identity & Access Management

• Authentication – Auth0 (OIDC) with optional MFA depending on customer preference; session represented by signed JWT (RS256) shared via JWKS between Auth0 and Responsibly.
• Authorisation – RBAC in Auth0; app-level enforcement of org-scoped roles (Admin, Analyst, Read-Only).
• Remote Access – Admin console access limited to company laptops over SSO; AWS Console & CLI require MFA.
• Password Hygiene – Employees store secrets in 1Password; all endpoints use device full-disk encryption.
• Least-Privilege Integrations – When connecting to client data warehouses we request only the minimum OAuth scopes and never require super-user access.

​

Application & Development Security

• Secure SDLC – Code reviewed via pull requests; CI pipeline enforces SAST.
• Dependencies – Automated dependency scanning in place
• Penetration Testing – None to date; may be evaluated in the future if required by specific customer contracts. Tentative plan to contract CREST-certified tester annually starting 2026.
• Secrets in Code – Secret scanning prevent credential commits.

​

Infrastructure & Platform Security

• Network Hardening – Security Groups apply least privilege.

• Endpoint Security – All employee devices: full‑disk encryption.
• DDoS & WAF – AWS Shield Standard and AWS WAF applied at ALB & CloudFront.

​

Incident Response

• Initial Response – ≤ 60 min triage by on-call engineer.
• Containment & Eradication – Within 24 hours depending on severity.
• Notification – Clients informed within 24 h of confirmed breach.
• No security incidents recorded as of 18 november 2025.

​

Business Continuity & Disaster Recovery

​

Data Lifecycle Management

• Retention – Tied to contract; default 7 years unless told otherwise.
• Secure Deletion – S3 object overwrite & Dynamo/RDS crypto-shred using KMS CMK destruction.
• Org Segregation – All supplier & client artifacts keyed by organisation ID; never exposed cross-tenant.

​

Privacy & Data Protection

• Responsibly is classified as a Data Controller according to GDPR. Read more in our privacy policy here: https://www.responsibly.tech/privacy-policy.
• Platform designed to minimise personal data collection; supporting privacy-by-design principles.

​

Infrastructure Suppliers

Responsibly is built on key infrastructure providers with extensive safeguards such as:

​

Employee Security & Awareness

• Annual security awareness training; attendance tracked.
• Certification encouragement (CISSP, CISM); reimbursement available.
• Simulated phishing drills each year.
• Encrypted endpoints (employee laptops), with remote lock or wipe capabilities.