Security at RMC

Security is built into how we design, build, and run software — not bolted on at the end. We follow industry best practices and align our controls with ISO 27001 and the UK Cyber Essentials framework.

• Hosted on AWS / GCP regions in the UK and EU
• Network isolation via VPCs and private subnets
• All traffic encrypted in transit (TLS 1.2+)
• Data encrypted at rest (AES-256)
• Automated, tested backups with point-in-time recovery

• Mandatory code review for every change
• Static analysis (SAST) and dependency scanning in CI
• Secrets managed via dedicated secret stores, never in code
• OWASP Top 10 reviewed during design and QA

• Single sign-on with mandatory MFA
• Least-privilege access by role
• Just-in-time elevation for production access
• Quarterly access reviews

• Centralised logging and audit trails
• 24/7 alerting on anomalous activity
• Documented incident response runbook
• Customer notification within 72 hours of confirmed incidents

• PII redaction in logs and AI training data
• Data residency options (UK / EU)
• Data deletion on contract termination
• Sub-processors under written DPAs

• Customer data is never used to train third-party models
• Prompt injection mitigations and tool sandboxing
• Output filtering for PII and sensitive content
• Per-tenant isolation for vector stores and memory

• UK GDPR / Data Protection Act 2018
• ISO 27001 control alignment
• UK Cyber Essentials
• SOC 2 Type II — in progress

We commission independent penetration tests annually and after any material change to production systems. Reports are available to enterprise customers under NDA.

If you believe you have found a security issue, please email security@rmctech.co.uk. We acknowledge reports within 24 hours and triage promptly. We thank researchers who disclose responsibly.