Trust & Compliance

Security & Data Handling

Factual documentation of how Ruleward handles data, secures its infrastructure, and addresses the vendor security requirements of regulated financial institutions.

Data Model — Public Regulatory Documents Only

Ruleward's core architecture is designed with a single principle that distinguishes it from data-ingestion tools: Ruleward processes only publicly available regulatory documents. It does not ingest, store, or process any customer data.

What Ruleward processes

Federal Register publications, agency bulletin systems, regulatory guidance documents, enforcement actions, and interpretive letters — all public documents retrieved directly from government and regulatory body websites.

What Ruleward does not process

Customer loan files, transaction data, customer PII, internal compliance documentation, examination reports, or any proprietary institution data. None of this is required for regulatory monitoring and none of it enters Ruleward's systems.

This is a key differentiator for regulated enterprises with strict data minimization requirements under their information security policies and vendor due diligence processes. Ruleward's vendor risk profile is structurally lower than tools that require data ingestion to function.

Infrastructure & Encryption

Cloud Infrastructure

Ruleward is designed to operate on AWS US regions. All compute and storage is deployed within US boundaries. No data processing occurs outside US regions.

Encryption in Transit

All data transmitted between Ruleward systems and customer endpoints uses TLS 1.3. TLS 1.2 is supported for legacy integrations; TLS 1.0 and 1.1 are disabled.

Encryption at Rest

All persistent data is encrypted at rest using AES-256. Encryption keys are managed through AWS KMS with customer-controlled key options available for enterprise deployments.

Access Controls

Role-based access controls (RBAC) with multi-factor authentication required for all administrative access. Principle of least privilege applied to all service accounts. Access reviews conducted quarterly.

SOC 2 & Compliance Program

SOC 2 Type II is in progress. Ruleward is designed with SOC 2 Type II controls in mind across the Trust Service Criteria — Security, Availability, and Confidentiality. We are currently preparing for our first Type II audit engagement. We will not claim certification we have not completed.

For enterprise customers requiring security documentation prior to audit completion:

  • Security questionnaires (standard vendor questionnaire formats) are available upon request
  • Infrastructure architecture documentation is available under NDA
  • A controls inventory mapping to SOC 2 Trust Service Criteria is available for customer review
  • Penetration test summary (most recent engagement) is available under NDA

Customers at banks, insurance carriers, and registered investment advisers that require annual vendor due diligence reviews are encouraged to contact us at [email protected] to initiate the vendor review process early in the evaluation.

Security questionnaire requests

Send security review requests directly to [email protected]. We respond to standard questionnaire formats within five business days.

[email protected]