Trust · App Security
App Security
Richpanel takes a defense-in-depth approach to protecting customer data — from how the application is built and tested, to how the infrastructure is hosted, to how our team is trained. This page summarizes the controls we have in place across compliance, product security, network and application security, and our day-to-day operating practices.
Compliance
CASA – Cloud Application Security Assessment
Built upon OWASP's ASVS standards, CASA provides "a consistent set of requirements to harden security for any application" and "a uniform way to perform trusted assurance assessments."
HIPAA – Health Insurance Portability and Accountability Act
Richpanel has completed a third-party HIPAA compliance audit by Scrut Automation in December 2025. The attestation letter and full scope are available on request through our DPO (dpo@richpanel.com).
What is HIPAA?
Passed in 1996, HIPAA provides "data privacy and security provisions for safeguarding medical information."
Richpanel's HIPAA Compliance Program
Measures audited and implemented include:
- Data Encryption: PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: PHI access limited to employees needing it for job functions; role-based access with audit logging
- Regular Audits: Annual third-party HIPAA audits plus continuous internal review
- Employee Training: Annual HIPAA training mandatory for all staff with PHI access
- Business Associate Agreement (BAA): Available on request for customers processing PHI
Third-Party HIPAA Audit
Conducted by Scrut Automation in December 2025. The audit covered HIPAA Privacy Rule and Security Rule controls across the Richpanel platform, processes, and personnel. Scope summary and attestation letter available on request.
Commitment to Continuous Improvement
"Compliance is not a one-time event, but a continuous journey." Next audit cycle: 2026.
Product Security
SSO & 2FA
SAML Single Sign-on (SSO) and 2-factor authentication (2FA) supported.
Permissions
Permission levels cover app settings, billing, user data, read/send messages.
Uptime
99.9% or higher; stats at https://richpanel.statuspage.io/
Network and Application Security
Data Hosting and Storage
Hosted on AWS in Oregon (us-west-2).
Failover and DR
Infrastructure spread across 3 AWS availability zones.
Virtual Private Cloud
Servers within a VPC with network ACLs blocking unauthorized requests.
Backups and Monitoring
Audit logs for all activity; logs shipped to ELK and Cloudwatch; S3 for archival.
Permissions and Authentication
- Access limited to authorized employees
- Served 100% over HTTPS
- Zero-trust corporate network
- SAML SSO, 2FA, and strong password policies on Bitbucket, Google, AWS, and Richpanel
Encryption
- API/application endpoints are TLS/SSL only; "A+" rating on Qualys SSL Labs' tests
- HSTS and Perfect Forward Secrecy enabled
- Data at rest encrypted with AES-256
Pentests & Vulnerability Scanning
Continuous third-party scanning; annual penetration tests by external security experts.
Incident Response
Protocol includes "escalation procedures, rapid mitigation and post mortem."
Additional Security Features
Training
All employees complete Security and Awareness training annually.
Policies
Comprehensive security policies, updated frequently, shared with all employees.
Employee Vetting
Background checks on all new employees per local laws.
Confidentiality
All employee contracts include a confidentiality agreement.
Customer Best Practices
Customers encouraged to follow security best practices via Richpanel's documentation site.