Legal

Security policy.

Last updated · 19 April 2026

How we protect the business data you hand us, the AI agents we run for you, and the conversations your customers have with them. To report a vulnerability, email security@ringlioai.com.

1. Our approach

Ringlio is a small Perth team running production AI for real local businesses — trades, real estate, clinics, salons, venues and consultancies. We treat customer data and end-customer conversations as genuinely sensitive, and we keep our infrastructure deliberately simple so we can actually reason about where data lives.

We don't chase certifications for their own sake. The controls below are what we actually run today — we'll update this page as our practices evolve.

2. Encryption

  • In transit. All traffic between customers, end-customers, our website, agent endpoints, and our sub-processors is encrypted using TLS 1.2 or higher.
  • At rest. Customer data, conversation transcripts and backups are stored on cloud infrastructure with disk-level encryption enabled by default.
  • Secrets. API keys, model credentials and integration tokens are held in a managed secret store, never checked into source control and never shared over unencrypted channels.

3. Access control and authentication

  • Access to production systems is restricted to Ringlio founders and explicitly named contributors. We work on a least-privilege basis — people only have the access they need to do their job.
  • All administrative accounts require strong passwords plus multi-factor authentication.
  • Access is reviewed when anyone joins or leaves, and revoked immediately on departure.
  • We log administrative actions on production systems so we can audit who did what.

4. Secure development

  • Changes to production go through code review before deployment.
  • Dependencies are tracked and kept current; known-vulnerable packages are patched or replaced promptly.
  • We avoid rolling our own cryptography. We use well-established libraries and platform primitives.
  • Sensitive values are never logged. Where transcripts are logged for quality review, they are treated as customer data and protected accordingly.

5. Data isolation

Each customer's business knowledge, tone calibration and conversation history is logically isolated. We do not train shared models on one customer's conversations to serve another customer. Your agent is trained on your content and reasons from your content only.

Where we use third-party AI model providers, we use their business-tier APIs with data-retention controls configured to exclude customer data from provider training.

6. Sub-processor security

We rely on a short list of reputable sub-processors — cloud infrastructure, AI model providers, SMS gateways, calendar APIs, email delivery. Before we add a sub-processor, we check that their security posture meets or exceeds our own, and we prefer providers with recognised certifications (SOC 2, ISO 27001) where available.

The current list is maintained alongside our Privacy policy, and active customers are notified in advance of material changes.

7. Vulnerability management

We apply security patches to our infrastructure and dependencies on a cadence prioritised by severity. Our target service levels, measured from the point a validated fix is available:

  • Critical severity — patched within 48 hours.
  • High severity — patched within 7 days.
  • Medium severity — patched within 30 days.
  • Low severity — rolled into the next regular release cycle.

We welcome responsible disclosure — see how to report a vulnerability below.

8. Incident response

If we identify a security incident that affects a customer's data or agent, we will:

  • Contain the incident and stop ongoing impact as the first priority.
  • Investigate root cause and scope before drawing conclusions.
  • Notify affected customers without undue delay, with a plain-English description of what happened, what data was involved, and what we're doing about it.
  • Where legally required, notify the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme.
Our commitment. We'd rather tell you about a near-miss early than hide a real incident late. If something affects you, you'll hear about it from us.

9. Backups and availability

  • Customer data and conversation history are backed up daily. Backups are encrypted at rest with the same controls as production data and stored with geo-redundancy across Australian and US cloud regions.
  • Restore integrity is tested on a quarterly basis.
  • Target recovery objectives: RTO ≤ 4 hours for full service restoration, RPO ≤ 1 hour for data loss in a worst-case regional failure.
  • We monitor agent endpoints for uptime and latency and investigate degradations promptly. Engagement-specific availability SLAs, where required, are agreed in writing.

10. Deletion

On termination, or at your written request, we delete customer business data and end-customer conversation transcripts from production systems within a reasonable window, with backups aging out per our standard schedule. Any data retained for legal, tax or record-keeping reasons is documented in our Privacy policy.

11. Reporting a vulnerability

If you believe you've found a security issue in Ringlio — on our website, in an agent we run, or in any of our infrastructure — please email security@ringlioai.com with a clear description and steps to reproduce.

  • We'll acknowledge your report within a few business days.
  • We won't pursue legal action against good-faith researchers acting within the scope of responsible disclosure — no automated scanning that degrades service, no accessing data that isn't yours, no public disclosure before we've had a reasonable chance to fix.
  • We'll keep you posted as we investigate and remediate.

12. Changes to this policy

We will update this page as our security practices evolve. The "last updated" date at the top reflects the most recent revision. Material changes will be notified to active customers by email.