Home/Trust

Trust & operations

Security posture for public safety deployments

This page is for IT directors, CJIS coordinators, procurement, and vendor security reviewers evaluating Rapid Cortex before or during a pilot. It summarizes how we protect agency data and operate the platform — without asking you to read the entire product first.

Identity & access

Cognito-backed sign-in with MFA for privileged roles, JWT-authorized APIs, and role-based access scoped to agency tenancy — not URL parameters.

Tenant isolation

Operational data is partitioned by agency. Cross-tenant reads and writes are denied by default in application and API layers.

Encryption

TLS for web and API traffic; encryption at rest on managed data stores, with stronger key management available at deployment.

Audit & logging

Meaningful state changes emit audit events. Application logs avoid raw secrets, tokens, and full unredacted transcripts.

Media & intake

Caller-submitted media uses private storage with short-lived, controlled retrieval where configured.

Operations

Deployment, monitoring, and incident response are documented for review. SIEM and 24/7 response are production-tier options, not the pilot default.

What we do not claim on this page

Rapid Cortex does not assert CJIS, CJIS-ATP, or FedRAMP certification on this page. We have not completed a SOC 2 audit. "CJIS-aligned" means we document controls your assessors can map to the CJIS Security Policy; your agency completes its own authorization path.

What you can request for review

  • Security and architecture overview tailored to your agency or program.
  • Control-mapping narrative for CJIS Security Policy areas relevant to your deployment.
  • Subprocessor and infrastructure disclosure for procurement packets.
  • Privacy, retention, and data-handling summaries aligned to your contract language.
  • Completed vendor security questionnaires — handled collaboratively with your IT team.

Technical controls summary

  • HTTPS for web experiences and programmatic access; JWT authorizer on protected API routes.
  • Role-based access tied to agency tenancy, with separate platform administration boundaries.
  • Encryption at rest for managed data stores; optional stronger key management during deployment.
  • Policy against logging raw secrets, tokens, and full unredacted transcripts in application logs.
  • Media intake uses private storage with short-lived, controlled retrieval where configured.

Next steps