Rudrriv Trust Center

Information security and secure delivery

Rudrriv uses a risk-based security approach to protect customer information, manage access and support dependable delivery. Controls are matched to the work, systems and sensitivity of the information involved.

  • Risk-based governance
  • Least-privilege access
  • Secure delivery practices
  • Incident readiness
Security control modelPeople, process and technology
Risk based
PreventReduce avoidable risk
DetectIdentify material issues
RespondAct with clear ownership
Direct answer

How Rudrriv approaches information security

Rudrriv treats information security as an operational responsibility across people, processes and technology. Security requirements are considered when access is approved, work is designed, systems are configured, information is handled and services are changed.

Controls are applied proportionately. The exact measures depend on the service, customer environment, data sensitivity, platform capabilities, contractual requirements and assessed risk. Customers can request service-specific security information during procurement or contracting.

Security principles

The principles behind our security decisions

These principles guide how Rudrriv evaluates access, handles customer information and chooses safeguards across different delivery models.

Risk-based protection

Security controls are selected according to the service, information involved, access required, contractual commitments and assessed risk.

Least-privilege access

Access is intended to be limited to authorised people, approved purposes and the minimum permissions needed to perform assigned work.

Defence in depth

People, process and technology controls are combined so that protection does not depend on a single safeguard.

Accountability and visibility

Documented ownership, review points, access records and issue escalation support clear security accountability.

Continuous improvement

Security practices are reviewed as services, technologies, threats, customer requirements and applicable obligations change.

Shared responsibility

Rudrriv, customers and technology providers each have responsibilities for secure configuration, access, information handling and timely decisions.

Security lifecycle

Security before, during and after service delivery

Security is most effective when it is part of routine delivery rather than a separate final check.

Before access

Define the boundary

  • Confirm the service scope and responsible owners.
  • Identify required systems, data and permissions.
  • Review material security and contractual requirements.
  • Limit access to what is needed for approved work.
During delivery

Operate with control

  • Use approved systems and secure working practices.
  • Apply review, testing and change controls proportionate to risk.
  • Protect credentials and restrict unnecessary data movement.
  • Escalate security concerns through defined channels.
Ongoing and exit

Review and close responsibly

  • Review access and control effectiveness when conditions change.
  • Remove access when roles or engagements end.
  • Return, retain or delete information according to agreed terms.
  • Record lessons and improve relevant safeguards.
Control areas

A layered information security programme

The controls below describe the main security areas considered across Rudrriv operations and customer delivery.

Send a questionnaire

Governance and risk management

  • Defined security ownership
  • Risk-informed control selection
  • Policy and process review
  • Contractual security requirements

Identity and access management

  • Role-based access where supported
  • Multi-factor authentication where available and appropriate
  • Controlled privileged access
  • Access review and removal processes

Endpoint and workforce security

  • Managed device expectations
  • Security updates and protective tooling
  • Secure remote-working practices
  • Security awareness and confidentiality obligations

Cloud and platform security

  • Configuration based on business need and risk
  • Separation of customer environments where applicable
  • Protected administrative access
  • Review of material platform changes

Secure development and change

  • Security considered during design and delivery
  • Peer review and testing as appropriate
  • Dependency and vulnerability awareness
  • Controlled release and rollback planning

Data protection

  • Data minimisation
  • Purpose-limited access and use
  • Encryption capabilities where applicable
  • Retention and secure disposal requirements

Logging and monitoring

  • Relevant event logging where supported
  • Review of security signals and anomalies
  • Escalation of material findings
  • Evidence preservation when required

Incident readiness

  • Defined reporting and escalation paths
  • Containment and investigation support
  • Customer communication based on facts and obligations
  • Lessons learned and corrective actions

Resilience and continuity

  • Continuity considerations for critical work
  • Backup and recovery responsibilities
  • Dependency awareness
  • Restoration priorities based on impact

Third-party risk

  • Supplier suitability review
  • Access and data-sharing limits
  • Contractual safeguards where appropriate
  • Dependency and concentration-risk awareness

Vulnerability management

  • Security issue intake and triage
  • Risk-based remediation
  • Patch and dependency review
  • Good-faith vulnerability reporting channel

Privacy-supporting controls

  • Data handling mapped to approved purposes
  • Restricted access to personal data
  • Support for deletion or return obligations
  • Coordination with applicable privacy requirements
Customer information

Data handling starts with purpose and minimisation

Rudrriv aims to avoid collecting or accessing information that is not required for the agreed service.

The customer contract, instructions, technology architecture and applicable data protection terms determine the detailed handling requirements for each engagement.

Customer-controlled environments Where work occurs inside customer-managed systems, the customer normally controls the platform, account administration, retention configuration and final access approval unless the contract states otherwise.
1

Purpose

Identify why information is needed and which approved service activity it supports.

2

Minimum access

Limit information and permissions to what authorised personnel need for assigned work.

3

Protected use

Use approved tools, appropriate safeguards and controlled sharing during delivery.

4

Review and close

Review continued need and apply agreed return, retention, deletion or access-removal requirements.

Global references

Security practices informed by recognised standards and guidance

Rudrriv uses established security frameworks as references when structuring controls, discussing risk and evaluating service requirements.

Management-system reference

ISO/IEC 27001:2022

Used as a reference for risk-based information security governance, control ownership and continual improvement.

Risk-outcome reference

NIST Cybersecurity Framework 2.0

Supports a structured view of Govern, Identify, Protect, Detect, Respond and Recover outcomes.

Safeguard reference

CIS Critical Security Controls v8.1

Provides prioritised, practical safeguards for common enterprise technology and cyber-risk scenarios.

Application-security reference

OWASP security guidance

Informs secure application design, verification and common web-application risk reduction where relevant to delivery.

Clear assurance statement: Referencing or aligning practices with a framework does not by itself mean Rudrriv is certified, audited or independently attested against that framework. Formal assurance will be stated only when supported by current evidence.
Shared responsibility

Security works best when responsibilities are explicit

The allocation below is a general guide. Final responsibilities are determined by the contract, service architecture and account ownership.

Rudrriv responsibilities may include

  • Applying agreed controls within Rudrriv-managed work and systems.
  • Restricting workforce access to approved business purposes.
  • Protecting credentials and following secure delivery processes.
  • Escalating material security concerns and supporting investigation.
  • Removing access and handling information according to agreed exit requirements.

Customer responsibilities may include

  • Providing accurate scope, data classification and security requirements.
  • Approving accounts, permissions, integrations and customer-managed configurations.
  • Maintaining secure customer credentials, endpoints and internal user access.
  • Reviewing deliverables, alerts and decisions that require customer authority.
  • Promptly notifying Rudrriv about access changes, suspected compromise or new constraints.
Customer assurance

Security information for procurement and due diligence

Rudrriv can support reasonable customer security reviews while protecting confidential operational and third-party information.

Information customers may request

  • Service-specific security questionnaire responses
  • Relevant data-flow and system-boundary information
  • Applicable subprocessor or technology dependency information
  • Contractual security and data-handling commitments
  • Available evidence subject to confidentiality and legal restrictions

How requests are handled

  • Requests are reviewed against the proposed or active service scope.
  • Sensitive documentation may require an appropriate non-disclosure agreement.
  • Rudrriv may redact information that could increase security risk or breach third-party obligations.
  • Customer-specific requirements should be agreed before access or processing begins.
  • Formal commitments must be included in signed contractual documents.

Need security information for your review?

Send the service scope, required deadline and questionnaire or evidence list.

Contact support@rudrriv.com
Responsible reporting

Report a suspected security issue

Good-faith reports help us identify and address potential security problems.

Submit a report

Include enough information for effective review

Please provide the affected URL or service, a clear description, reproduction steps, observed behaviour, potential impact and safe supporting evidence.

Please do

  • Use only the minimum testing needed.
  • Protect any accidentally accessed information.
  • Allow a reasonable investigation period.

Please do not

  • Disrupt services or degrade availability.
  • Use social engineering or physical intrusion.
  • Access unrelated records or publish sensitive details prematurely.
Security questions

Frequently asked questions

These answers provide general information. Service-specific commitments are defined in the applicable contract and supporting documents.

Is Rudrriv ISO/IEC 27001 certified?
This page describes Rudrriv's security approach and the recognised frameworks used as references. It does not represent ISO/IEC 27001 certification or any other certification unless Rudrriv separately publishes a current certificate or independent assurance report.
Does Rudrriv use multi-factor authentication?
Multi-factor authentication is expected for supported systems where it is available and proportionate to the access risk. Exact controls can vary by customer environment, platform capability, delivery model and agreed scope.
How is customer access controlled?
Access should be approved, purpose-limited and restricted to authorised personnel. Permissions are intended to follow least-privilege principles and be removed when no longer required. Customer-managed systems may also require customer approval or administration.
How does Rudrriv handle customer data?
Customer data should be used only for agreed services and authorised purposes. The applicable contract, data processing terms, customer instructions and platform capabilities determine access, retention, transfer, return and deletion requirements.
Where is customer data stored?
Data location depends on the service, customer-selected systems, approved subprocessors and project architecture. Rudrriv can document relevant systems and data flows during contracting or security review where the scope requires it.
Does Rudrriv encrypt data?
Encryption capabilities are used where supported, appropriate and required by the service design or contract. The exact encryption method and responsibility depend on the platform, data type, integration and whether the environment is managed by Rudrriv, the customer or a third party.
How are security incidents handled?
Potential incidents are intended to be reported, assessed, contained and investigated according to their nature and impact. Customer notification is based on verified information, contractual requirements and applicable legal obligations.
Can customers complete a security review?
Yes. Customers may send reasonable security questionnaires or due-diligence requests to support@rudrriv.com. The information available may depend on confidentiality, service scope, legal restrictions and whether a mutual non-disclosure agreement is required.
Does Rudrriv conduct penetration testing?
Testing requirements depend on the service and system boundary. Where penetration testing or another independent assessment is material to a customer engagement, the scope, frequency, responsible party and evidence-sharing terms should be agreed contractually.
How can I report a suspected vulnerability?
Send a clear description, affected URL or service, reproduction steps and potential impact to support@rudrriv.com. Do not access unnecessary data, disrupt services, use social engineering, or publicly disclose the issue before Rudrriv has had a reasonable opportunity to investigate.

Last reviewed: July 2026

Discuss security requirements before work begins

Share your service scope, data sensitivity, system requirements and review process so the right safeguards and responsibilities can be defined early.

Start a security discussion