Security and Privacy at Ritual
At Ritual, we take the security and privacy of your data seriously. This document outlines our comprehensive approach to protecting your information and ensuring the integrity of our platform.
Data Security
- Event Monitoring and Logging: We have enabled comprehensive logging on all critical systems. These logs capture a wide range of events, including authentication attempts, application access, administrator actions, and system changes. We use a cloud-based monitoring and log management service for centralized log ingestion, analysis, and automated alerting. This service allows us to:
- Collect and store logs from various sources across our infrastructure
- Set up custom metrics and alarms based on log patterns or thresholds
- Create dashboards for real-time visibility into system health and security events
- Configure automated alerts to notify our security team of potential issues
- Perform basic log analysis to identify trends or anomalies
This approach enables us to maintain visibility into our systems’ security status, quickly detect potential security incidents, and respond promptly to any alerts.
-
Backups: Our infrastructure is designed for 99.9% durability of objects. We perform automated daily backups of all customer and system data, which are encrypted and monitored.
-
Data Erasure: As a controller of your data, you have the ability to request data deletion or self-serve your own deletion, subject to regulatory or legal retention requirements.
-
Encryption:
- At Rest: Customer data is encrypted using AES-256 on our internal networks, cloud storage, database tables, and backups.
- In Transit: Data is encrypted using TLS 1.2 or greater.
-
Physical Security: We leverage cloud service providers for hosting and defer physical security controls to them.
Application Security
-
Code Analysis: Our security and development teams conduct threat modeling, secure design reviews, code audits, and security scans for new releases and updates.
-
Software Development Lifecycle (SDLC): We follow a defined SDLC to ensure code is written securely, including design phase security reviews, code audits, and post-launch vulnerability management.
-
Credential Management: We use a third-party Key Management Service (KMS) for secure key generation, storage, access control, and rotation.
-
Vulnerability & Patch Management: Regular vulnerability scanning and package monitoring are performed, with issues triaged and resolved based on severity.
Access Control
-
Data Access: We follow the principle of Least Privilege, granting access based on job function and business requirements. Regular access reviews are conducted.
-
Logging: Our logging solution provides automated logging and alerting capabilities for critical systems.
-
Password Security: We maintain stringent password management policies and require MFA wherever possible.
Infrastructure Security
-
Anti-DDoS: We leverage third-party applications for DDoS protection.
-
Data Center: Our infrastructure is hosted in fully redundant, secured cloud environments.
-
Separate Environments: Customer data is never stored in non-production environments. We maintain separate development, testing, and production environments.
Product Security Features
-
Domain Management: Workspace owners can claim ownership over email domains, unlocking domain management settings.
-
SAML Single Sign-On (SSO): Available for Business and Enterprise customers.
-
Audit Log: Detailed information about security and safety-related activity for workspace owners.
-
Multi-Factor Authentication (MFA): Available to all plan types for added account protection.
-
Permission Management: Granular control over user permissions and content access.
-
Teamspace Management: Tools for workspace owners to manage and modify teamspace settings.
Last updated: July 4, 2024