RhizarRhizar/Legal

Security Standard

Last updated: February 26, 2026

Rhizar Security Standard

Effective Date: January 22, 2026
Last Updated: January 22, 2026

1. Overview

Helix Build, LLC d/b/a Rhizar ("Rhizar") is committed to protecting the security and confidentiality of Customer Data processed through the Rhizar AI Analyst platform. This Security Standard describes the technical and organizational measures Rhizar implements to safeguard Customer Data.

2. Data Security Controls

2.1 Encryption

Data in Transit:

  • All data transmitted between Customer systems and Rhizar's Service is encrypted using Transport Layer Security (TLS) 1.2 or higher
  • All API communications use HTTPS with TLS 1.2+

Data at Rest:

  • Customer Data stored in databases is encrypted using AES-256 encryption or equivalent
  • File storage uses server-side encryption with AES-256 or equivalent
  • Encryption keys are managed through industry-standard key management systems

2.2 Access Controls

Authentication:

  • Multi-factor authentication (MFA) is required for all administrative access to production systems
  • Password policies require minimum complexity standards (minimum 12 characters, combination of uppercase, lowercase, numbers, and special characters)
  • Session timeouts are enforced after periods of inactivity

Authorization:

  • Role-based access control (RBAC) limits system access based on job function and principle of least privilege
  • Customer Data is logically segregated between customers
  • Administrative access to Customer Data is restricted to authorized personnel with a legitimate business need

Account Security:

  • Regular review and removal of inactive user accounts
  • Immediate revocation of access upon employee termination
  • Audit logging of all administrative access to production systems

2.3 Network Security

  • Firewalls and network segmentation protect production systems
  • Intrusion detection and prevention systems monitor network traffic
  • Regular vulnerability scanning of network infrastructure
  • Denial-of-service (DDoS) protection mechanisms

2.4 Application Security

  • Secure software development lifecycle (SDLC) practices
  • Regular security testing including vulnerability assessments
  • Input validation and sanitization to prevent injection attacks
  • Protection against common web application vulnerabilities (OWASP Top 10)
  • Regular security patches and updates to third-party dependencies

3. Infrastructure Security

3.1 Hosting and Cloud Services

Rhizar utilizes Supabase and Vercel for infrastructure hosting. These providers maintain:

  • SOC 2 Type II certification or equivalent
  • Physical security controls for data centers
  • Redundant power and network connectivity
  • Environmental controls (temperature, humidity, fire suppression)

3.2 Backup and Recovery

  • Automated daily backups of Customer Data
  • Backups are encrypted using the same standards as production data
  • Regular testing of backup restoration procedures
  • Geographic redundancy for critical data
  • Backup retention period: 90 days (rolling)

3.3 Business Continuity

  • Disaster recovery plan tested annually
  • Defined recovery time objectives (RTO) and recovery point objectives (RPO)
  • Incident response procedures for security events

4. Organizational Security

4.1 Personnel Security

Background Checks:

  • Background checks conducted for employees with access to Customer Data, to the extent permitted by applicable law

Training:

  • Annual security awareness training for all employees
  • Specialized training for personnel handling Customer Data
  • Regular updates on emerging security threats and best practices

Confidentiality:

  • All employees sign confidentiality agreements
  • Non-disclosure obligations survive employment termination

4.2 Third-Party Security

Vendor Management:

  • Security assessments of third-party service providers who process Customer Data
  • Contractual requirements for third parties to maintain appropriate security measures
  • Regular review of third-party security posture

Current Third-Party Processors:

  • Anthropic (Claude API) - AI model provider
  • LlamaIndex/LlamaCloud - Document processing and indexing
  • Supabase - Database, authentication, file storage
  • Vercel - Application hosting
  • Resend - Email delivery
  • HubSpot - Marketing and CRM (contact data only, not Customer Data)

All third-party processors are contractually required to maintain security standards at least as stringent as those described in this Security Standard.

5. Monitoring and Logging

5.1 Security Monitoring

  • 24/7 automated monitoring of production systems
  • Real-time alerts for suspicious activity or security anomalies
  • Regular review of security logs and access patterns
  • Security information and event management (SIEM) tools

5.2 Audit Logging

  • Comprehensive logging of user activities, system events, and data access
  • Logs retained for minimum of 90 days
  • Logs protected from unauthorized modification or deletion
  • Regular analysis of logs for security incidents

6. Incident Response

6.1 Security Incident Management

Rhizar maintains an incident response plan that includes:

  • Defined roles and responsibilities
  • Incident classification and escalation procedures
  • Investigation and containment procedures
  • Root cause analysis and remediation
  • Post-incident review and lessons learned

6.2 Breach Notification

In the event of a confirmed security breach that affects Customer Data:

  • Rhizar will notify affected Customers without undue delay and in accordance with applicable law
  • Notification will include description of the breach, affected data, steps taken to mitigate, and recommended actions for Customer
  • Rhizar will cooperate with Customer's investigation and remediation efforts

7. Compliance and Audits

7.1 Compliance Program

  • Regular review and updates to security policies and procedures
  • Tracking of applicable privacy and security regulations (GDPR, CCPA, etc.)
  • Internal compliance assessments

7.2 Security Assessments

  • Annual internal security assessments
  • Periodic third-party penetration testing
  • Vulnerability assessments and remediation

7.3 Customer Audits

Upon reasonable advance written notice and no more than once per year (unless required by applicable law or following a security incident), Customer may:

  • Request written responses to security questionnaires
  • Review documentation evidencing Rhizar's compliance with this Security Standard
  • Conduct audits of Rhizar's security controls, subject to execution of appropriate confidentiality agreements

8. Data Retention and Deletion

8.1 Data Retention

  • Customer Data is retained during the active Subscription Term
  • Backups are retained on a rolling 90-day cycle
  • Financial records retained for 7 years in accordance with legal requirements

8.2 Data Deletion

Upon termination of the Agreement:

  • Customer Data will be deleted from production systems within 30 days (or earlier upon Customer request)
  • Customer Data in backups will be deleted in accordance with the rolling 90-day backup retention cycle
  • Deletion is permanent and irreversible (subject to legal hold requirements)

9. Security Standard Updates

Rhizar may update this Security Standard from time to time to reflect:

  • Process improvements
  • Changes in technology or industry best practices
  • New or modified legal or regulatory requirements
  • Changes to infrastructure or third-party providers

Updates will comply with Section 6.4 of the Master Services Agreement (no material diminishment of Rhizar's obligations during active Subscription Term).

10. Contact Information

For questions about this Security Standard or to report security concerns:

Email: legal@rhizar.com
General Inquiries: info@rhizar.com
Address: Helix Build, LLC d/b/a Rhizar, 309 NW Dogwood Street, Issaquah, WA 98027

Privacy PolicyTerms of Service
    Security Standard - Rhizar