Security at Risk Llama

Putting Data Security First

An image of a shiny metal vault door bathed in purple light

Highlights

Multi-layered network protection with AWS WAF rate limiting, CloudFront CDN enforcing TLS 1.2+, and continuous threat detection via GuardDuty

End-to-end encryption using AWS KMS-managed keys for all databases, with credentials securely stored in Secrets Manager

Advanced authentication featuring strong password policies, optional MFA, custom API authorizers, and admin-controlled user provisioning

Built-in resilience through multi-region replication, point-in-time recovery, automated backups, and deletion protection on all critical resources

Comprehensive audit logging via CloudTrail across all regions, with Lambda functions isolated in VPCs following least-privilege principles

Enterprise-Grade Protection

At Risk Llama, security isn't an afterthought, it's the foundation of everything we build. As a SaaS platform handling sensitive risk management data, we understand that our customers need to trust that their information is protected by industry-leading security measures. In this article, we'll walk you through the comprehensive security architecture that powers the Risk Llama platform.

Defense in Depth: Multi-Layered Network Protection

Risk Llama employs a defense-in-depth strategy that begins at the edge of our network. All traffic to our platform is protected by AWS Web Application Firewall (WAF) with intelligent rate-based limiting that automatically blocks suspicious IP addresses making excessive requests. Our CloudFront CDN distribution enforces HTTPS-only connections with TLS 1.2 minimum protocol requirements, ensuring all data in transit is encrypted using modern cryptographic standards. Additionally, our Content Security Policy headers prevent cross-site scripting attacks and restrict content sources to trusted domains only. Behind the scenes, AWS GuardDuty continuously monitors for malicious activity and threats, providing intelligent threat detection across our entire infrastructure.

Encryption Everywhere: Protecting Data at Rest and in Transit

Every piece of customer data stored in Risk Llama is encrypted. Our Aurora MySQL database clusters utilize AWS KMS (Key Management Service) with customer-managed encryption keys, ensuring that all data at rest is cryptographically secured. Database credentials and API keys are never hardcoded, instead, they're stored in AWS Secrets Manager and retrieved securely at runtime by authorized services only. Our Cognito user pool leverages dedicated KMS encryption for user data and authentication tokens. From DynamoDB tables to S3 buckets, encryption is enforced across our entire data layer, meaning your sensitive risk assessments and business intelligence remain protected regardless of where they reside.

Identity and Access Management: Secure Authentication by Design

Risk Llama implements robust identity and access management through Amazon Cognito with advanced security features enforced. Our authentication system requires strong passwords with a minimum of 10 characters, including uppercase, lowercase, and numeric characters. Multi-factor authentication (MFA) via software tokens is available for all users, adding an extra layer of protection against credential compromise. We've implemented custom Lambda authorizers that validate every API request against user permissions.

Resilience and Business Continuity: Built to Last

Risk Llama is architected for resilience across multiple dimensions. Our database feature point-in-time recovery enabled across all critical data stores, with automatic replication to multiple AWS regions ensuring geographic redundancy. The database cluster maintains automated backups with a 7-day retention period and global write forwarding for disaster recovery scenarios. Deletion protection is enabled on all databases, tables, and user pools, preventing catastrophic data loss. Our multi-region architecture, spanning EU, US, and Asia-Pacific regions, means that even in the event of a regional outage, your risk management operations can continue uninterrupted. With CloudTrail logging enabled across all regions, we maintain a complete audit trail of every API call made within our infrastructure.

Continuous Monitoring and Compliance: Security That Never Sleeps

Security at Risk Llama is an ongoing commitment, not a checkbox. AWS CloudTrail captures comprehensive logs of all infrastructure activity, stored securely in dedicated S3 buckets with strict access policies. Our Lambda functions operate within isolated VPCs with carefully configured security groups that follow the principle of least privilege. VPC endpoints for DynamoDB and S3 ensure that sensitive data never traverses the public internet. We've deployed Sentry monitoring functions across 15+ AWS regions globally, providing real-time visibility into system health and potential security anomalies. This combination of proactive monitoring, automated threat detection, and comprehensive logging ensures that Risk Llama maintains the highest security standards our enterprise customers expect and deserve.

Risk Llama is committed to maintaining the trust our customers place in us. If you have questions about our security practices or need additional documentation for your security review, please contact our team at support@riskllama.com.