Trust · App Security

App Security

Last updated: May 4, 2026

Richpanel takes a defense-in-depth approach to protecting customer data — from how the application is built and tested, to how the infrastructure is hosted, to how our team is trained. This page summarizes the controls we have in place across compliance, product security, network and application security, and our day-to-day operating practices.

Compliance

CASA – Cloud Application Security Assessment

Built upon OWASP's ASVS standards, CASA provides "a consistent set of requirements to harden security for any application" and "a uniform way to perform trusted assurance assessments."

HIPAA – Health Insurance Portability and Accountability Act

Richpanel is "self-certified for HIPAA compliance."

What is HIPAA?

Passed in 1996, HIPAA provides "data privacy and security provisions for safeguarding medical information."

Richpanel's HIPAA Compliance Journey

Measures implemented include:

• Data Encryption: PHI encrypted in transit and at rest
• Access Controls: PHI access limited to employees needing it for job functions
• Regular Audits: Periodic reviews to address vulnerabilities
• Employee Training: Regular staff training on HIPAA responsibilities

Self-Certification Process

Involved internal audit, collaboration with legal experts and HIPAA consultants.

Commitment to Continuous Improvement

"Compliance is not a one-time event, but a continuous journey."

Product Security

SSO & 2FA

SAML Single Sign-on (SSO) and 2-factor authentication (2FA) supported.

Permissions

Permission levels cover app settings, billing, user data, read/send messages.

Uptime

99.9% or higher; stats at https://richpanel.statuspage.io/

Network and Application Security

Data Hosting and Storage

Hosted on AWS in Oregon (us-west-2).

Failover and DR

Infrastructure spread across 3 AWS availability zones.

Virtual Private Cloud

Servers within a VPC with network ACLs blocking unauthorized requests.

Backups and Monitoring

Audit logs for all activity; logs shipped to ELK and Cloudwatch; S3 for archival.

Permissions and Authentication

• Access limited to authorized employees
• Served 100% over HTTPS
• Zero-trust corporate network
• SAML SSO, 2FA, and strong password policies on Bitbucket, Google, AWS, and Richpanel

Encryption

• API/application endpoints are TLS/SSL only; "A+" rating on Qualys SSL Labs' tests
• HSTS and Perfect Forward Secrecy enabled
• Data at rest encrypted with AES-256

Pentests & Vulnerability Scanning

Continuous third-party scanning; annual penetration tests by external security experts.

Incident Response

Protocol includes "escalation procedures, rapid mitigation and post mortem."

Additional Security Features

Training

All employees complete Security and Awareness training annually.

Policies

Comprehensive security policies, updated frequently, shared with all employees.

Employee Vetting

Background checks on all new employees per local laws.

Confidentiality

All employee contracts include a confidentiality agreement.

Customer Best Practices

Customers encouraged to follow security best practices via Richpanel's documentation site.