Security
Trust is a feature, not a footnote
We architect Rimble.app so creative teams can move fast without bypassing reasonable security expectations — here is how we think about risk, data, and disclosure.
Security program
Defense in depth across product and platform
Encryption in transit & at rest
TLS 1.2+ for every browser session. Workspace blobs and exports are stored with provider-managed encryption keys; Enterprise can align on customer-managed keys when available.
Data handling
We minimize retention of ephemeral model traffic. Project payloads belong to your workspace — delete flows propagate to object storage on a best-effort SLA documented in your agreement.
Infrastructure posture
Hardened containers, dependency scanning in CI, and segmented environments between preview, API, and marketing surfaces.
Access control
Role-based workspace access, optional SSO on Business+, and short-lived signed URLs for export downloads.
Vulnerability disclosure
Coordinated response, responsible publication
We welcome good-faith research. Please avoid accessing data that is not yours, destructive testing against production, or social engineering of employees or users.
security@rimble.app- 01
Report
Email security@rimble.app with repro steps. Encrypt sensitive attachments with our PGP key (available on request).
- 02
Triage
We acknowledge within one business day for critical issues, with severity aligned to CVSS and customer impact.
- 03
Remediate
Patches roll through staged environments. Customers under Enterprise agreements receive advance notice when action is required.
Compliance attestations
Formal SOC 2 Type II reports and penetration test summaries are shared under NDA with Enterprise customers. We do not publicly badge certifications we have not completed.