Security

Ricca handles sensitive industrial engineering data — P&IDs, instrument indices, and project documentation that belong to your clients and projects. We take that responsibility seriously. This page describes the technical and organisational measures we have in place to protect your data.

Encryption

All data transmitted between your browser and the Ricca platform is encrypted in transit using TLS 1.2 or higher. Data stored at rest — including project files, instrument registers, and account information — is encrypted using AES-256. Backups are encrypted using the same standard.

Data Isolation

Every project and workspace on Ricca is protected by row-level security (RLS) policies enforced at the database layer. Your data is logically isolated from all other users — no cross-tenant data access is possible by design. Workspace isolation on the Enterprise plan adds an additional boundary at the application layer.

Infrastructure

Ricca is built on industry-standard cloud infrastructure. Our application layer runs on Vercel's global edge network with automatic DDoS mitigation and TLS termination. Data storage and authentication use Supabase, which is hosted on AWS in your selected region. All infrastructure providers operate certified data centres and maintain their own compliance programmes.

Production access is restricted to authorised engineers using multi-factor authentication. No member of our team can access your raw project files without your explicit involvement in a support case.

Authentication and Access Controls

User authentication is handled by Supabase Auth, which supports email/password login with hashed password storage (bcrypt). Enterprise customers have access to SSO via SAML 2.0, Okta, and Azure AD. All authenticated sessions use short-lived JWTs with automatic rotation.

Role-based access control (RBAC) on the Enterprise plan allows workspace administrators to grant members Admin, Engineer, or Viewer roles — limiting what each person can view, create, edit, or export.

AI Processing

When you upload documents for AI-assisted parsing or extraction, files are sent to our AI provider solely to complete your specific request. Files are deleted from the AI provider's API immediately after processing completes. We have contractual data processing agreements in place to prevent your data from being used to train any foundational AI model.

We never use your proprietary engineering data to improve or fine-tune our AI models.

Rate Limiting and Abuse Prevention

API endpoints are rate-limited to prevent abuse and protect platform availability for all users. Anomalous usage patterns are monitored and automatically throttled. Authentication endpoints include brute-force protection with account lockout policies.

Audit Trails

Enterprise plan customers have access to a full audit log capturing who viewed, edited, exported, or shared project data — including timestamps and IP addresses. Audit records are immutable and retained for a minimum of 7 years to support engineering compliance obligations.

Incident Response

In the event of a confirmed data breach affecting your personal data, we will notify affected users and, where required by law (including under GDPR Article 33/34), the relevant supervisory authority within 72 hours of becoming aware of the incident. Notification will include the nature of the breach, the data involved, likely consequences, and remediation steps taken.

Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability in the Ricca platform, please report it to us at team@usericca.xyz with a clear description and reproduction steps. We ask that you:

• Give us reasonable time to investigate and remediate before public disclosure
• Avoid accessing, modifying, or deleting data that is not yours
• Not disrupt service availability during your testing

We will acknowledge your report within 3 business days and keep you informed as we work toward a resolution.

Sub-Processor Security

All third-party sub-processors we use are vetted for security and bound by data processing agreements. We require that sub-processors implement appropriate technical and organisational measures consistent with the standards described in this page. Our sub-processor list is available on request.

Questions

For security-related questions or to report a vulnerability, contact us at team@usericca.xyz.