Home/Trust
Trust & operations
Security posture for public safety deployments
This page is for IT directors, CJIS coordinators, procurement, and vendor security reviewers evaluating Rapid Cortex before or during a pilot. It summarizes how we protect agency data and operate the platform — without asking you to read the entire product first.
Identity & access
Cognito-backed sign-in with MFA for privileged roles, JWT-authorized APIs, and role-based access scoped to agency tenancy — not URL parameters.
Tenant isolation
Operational data is partitioned by agency. Cross-tenant reads and writes are denied by default in application and API layers.
Encryption
TLS for web and API traffic; encryption at rest on managed data stores, with stronger key management available at deployment.
Audit & logging
Meaningful state changes emit audit events. Application logs avoid raw secrets, tokens, and full unredacted transcripts.
Media & intake
Caller-submitted media uses private storage with short-lived, controlled retrieval where configured.
Operations
Deployment, monitoring, and incident response are documented for review. SIEM and 24/7 response are production-tier options, not the pilot default.
What we do not claim on this page
Rapid Cortex does not assert CJIS, CJIS-ATP, or FedRAMP certification on this page. We have not completed a SOC 2 audit. "CJIS-aligned" means we document controls your assessors can map to the CJIS Security Policy; your agency completes its own authorization path.
What you can request for review
- Security and architecture overview tailored to your agency or program.
- Control-mapping narrative for CJIS Security Policy areas relevant to your deployment.
- Subprocessor and infrastructure disclosure for procurement packets.
- Privacy, retention, and data-handling summaries aligned to your contract language.
- Completed vendor security questionnaires — handled collaboratively with your IT team.
Technical controls summary
- HTTPS for web experiences and programmatic access; JWT authorizer on protected API routes.
- Role-based access tied to agency tenancy, with separate platform administration boundaries.
- Encryption at rest for managed data stores; optional stronger key management during deployment.
- Policy against logging raw secrets, tokens, and full unredacted transcripts in application logs.
- Media intake uses private storage with short-lived, controlled retrieval where configured.
Next steps
- Contact sales & operations — security questionnaires, pilot scoping, and procurement packets.
- Trust & compliance disclosures — RC Lite assurance topics and artifact intent (explanatory, not certification claims).
- System status — operational transparency for live environments.
- Privacy policy — how we handle personal and operational data.
