Deployment boundary, review path, and evidence obligations are agreed before build.
RyderAI builds AI for regulated work in Australia. RyderAI-managed hosting and client-owned deployments are both scoped before build; the posture below is the baseline we work from.
Current assurance status
Before build, the engagement security plan names the deployment boundary, storage, encryption, retention, recovery, access, review, and evidence obligations. RyderAI does not currently hold SOC 2, ISO 27001, ISO 42001, IRAP, or equivalent external certification, and does not claim those certifications.
RyderAI-managed hosting keeps model inference inside the agreed Australian boundary and uses third-party model APIs only when explicitly scoped. Client-owned deployments use the customer's own infrastructure and controls. Where scoped, RyderAI-managed hosting uses encrypted redundant storage across separate RyderAI-operated systems.
Boundary set before build
RyderAI-managed engagements are scoped to an agreed Australian data boundary. Client-owned deployments use the customer's own infrastructure and controls. Any third-party model API is explicit in the engagement scope.
Controls written into the plan
Storage, encryption, retention, recovery, access, and review controls are named in the engagement security plan for the deployment mode. RyderAI-managed hosting uses encrypted storage with redundancy across separate RyderAI-operated systems where scoped.
Consequential decisions are reviewable
Consequential decisions are recorded so you can show a regulator who was accountable, what the decision was based on, and why.
Access is controlled and accountable
Only named people can reach the controls that matter, and the actions that carry real consequence are signed off by a named person and recorded.
Release checks before go-live
Production releases are checked against the engagement security plan and verification steps before go-live.
Mapped to APRA CPS 234, OAIC and AHPRA evidence needs
Designed to support the evidence a prudential review or practitioner-accountability request may ask for.
The canonical channel is /.well-known/security.txt (machine-readable, RFC 9116). Good-faith researchers who avoid privacy, integrity, or availability impact on customer workloads receive an acknowledgement within one business day and credit on remediation. For narrative reports, use the contact form with subject line Security disclosure.
Ryder AI Pty Ltd · ABN 24 681 083 983 · Brisbane, Queensland
This page describes how we work by default. The exact controls for your engagement are written down in your engagement security plan.