trio.ai is live on PyPI — pip install triobot VibeMaster Beta — ai.riocloudsolutions.com Free strategy call this week — Limited slots available
Security and Compliance
Security & Compliance

Enterprise-Grade Trust

We follow global security and privacy best practices across GDPR, HIPAA, ISO 27001, and SOC 2 Type 2 frameworks so your data and your customers' data stay protected.

Our Frameworks

Four Global Compliance Standards

Every engagement is built on these foundational security frameworks.

GDPR

EU General Data Protection Regulation — lawful processing, consent, data subject rights, and breach notification.

HIPAA

Health Insurance Portability and Accountability Act — PHI protection, administrative and technical safeguards.

ISO/IEC 27001

Global information security management standard — policies, risk assessment, controls, and continual improvement.

SOC 2 Type 2

AICPA trust services — security, availability, processing integrity, confidentiality, and privacy over time.

GDPR

GDPR Compliance — EU Data Protection

Effective since May 2018, GDPR applies to anyone processing personal data of EU residents. RioCloud Solutions acts as a data processor and ensures full alignment.

What We Do

  • Lawful basis & consent: We capture explicit, granular consent with clear purpose descriptions.
  • Data minimization: We only collect what is necessary and store it for the minimum time required.
  • Data subject rights: Right to access, rectify, erase, port, restrict, and object — honored within 30 days.
  • Breach notification: 72-hour notification to authorities and affected users as required by Article 33.
  • Data Processing Agreements (DPA): Signed with every client and sub-processor.
  • International transfers: EU Standard Contractual Clauses (SCCs) for cross-border data flows.
  • DPO access: Data protection inquiries routed to our designated privacy officer.

Your Rights

As an EU resident you can request any of the following at any time by emailing info@riocloudsolutions.com:

  • A copy of all personal data we hold about you
  • Correction of inaccurate data
  • Deletion of your data ("right to be forgotten")
  • Portability of your data in machine-readable format
  • Withdrawal of consent at any time
HIPAA

HIPAA Compliance — Healthcare Data Protection

For healthcare, telehealth, and life sciences clients, we operate under HIPAA-aligned controls to protect electronic Protected Health Information (ePHI).

Administrative Safeguards

  • Workforce security training and background checks
  • Role-based access control with least privilege
  • Security incident response plans and drills
  • Business Associate Agreements (BAA) signed with all subcontractors
  • Annual risk assessments and mitigation plans

Physical Safeguards

  • Data center physical security and surveillance (via HIPAA-eligible cloud providers)
  • Device & media controls: encrypted disks, secure disposal
  • Facility access controls for any on-premise engagements

Technical Safeguards

  • AES-256 encryption at rest, TLS 1.3 in transit
  • Unique user identification and auto-logoff
  • Audit trails for every ePHI access
  • Data integrity verification and backups
  • MFA on all accounts that touch ePHI
ISO 27001

ISO/IEC 27001 — Information Security Management

Our Information Security Management System (ISMS) is aligned with ISO/IEC 27001:2022 across 93 Annex A controls covering people, process, and technology.

Control Domains We Implement

  • Organizational controls (37): Policies, roles, threat intelligence, supplier management
  • People controls (8): Screening, training, disciplinary, remote working
  • Physical controls (14): Perimeter security, clean desk, equipment lifecycle
  • Technological controls (34): Cryptography, malware protection, logging, secure coding, DLP, vulnerability management

Continual Improvement

We run an annual Plan-Do-Check-Act cycle with internal audits, management reviews, and corrective action tracking aligned with ISO 27001 requirements.

For Our Clients

We can support your own ISO 27001 certification journey with gap assessments, control implementation, internal audit services, and readiness reviews before external certification bodies like BSI, DNV, or TÜV.

SOC 2 Type 2

SOC 2 Type 2 — Trust Services Criteria

SOC 2 Type 2 evaluates the operational effectiveness of controls over a period of time (typically 6-12 months). We operate under all five Trust Services Criteria.

The Five Trust Services Criteria

  • Security (required): Protection against unauthorized access — firewalls, MFA, intrusion detection, penetration testing.
  • Availability: System uptime and performance — redundancy, backups, disaster recovery, SLAs.
  • Processing Integrity: Accurate, complete, and authorized processing — input validation, QA, monitoring.
  • Confidentiality: Protection of confidential data — classification, encryption, access restrictions.
  • Privacy: Personal information handling per AICPA privacy principles — notice, choice, access, disclosure.

Evidence & Attestation

We maintain continuous control evidence including access logs, change management records, incident response documentation, vendor management attestations, and employee security training records — all of which are typically required by SOC 2 auditors.

SOC 2 as a Service

We help SaaS companies and enterprise clients achieve their own SOC 2 Type 1 and Type 2 attestations — from gap analysis to readiness and ongoing evidence collection via tools like Vanta, Drata, or Secureframe.

Additional Safeguards

Beyond the Four Frameworks

Encryption

AES-256 at rest, TLS 1.3 in transit, managed keys via cloud KMS, no plaintext credentials in code.

Access Control

Zero-trust model, MFA required, least privilege, quarterly access reviews, SSO for client environments.

Audit Logging

Immutable audit trails for all access, changes, and data operations. Logs retained per framework requirements.

Incident Response

24/7 monitoring, defined escalation paths, customer notification within regulatory timeframes (GDPR 72h, HIPAA 60 days).

Data Residency

Client-specified data residency (EU, US, India, UK) with regional cloud providers. No cross-border transfers without SCCs.

Vendor Management

All subprocessors signed to DPAs/BAAs, vetted annually, compliance attestations on file.

Need a Compliance Pack?

Request our GDPR DPA, HIPAA BAA template, ISO 27001 statement of applicability, or SOC 2 readiness letter.

Request Documents Talk to Security Lead