Security

Local‑first. Your data, your control.

Risk Studio runs on your hardware by default. No cloud upload, no SaaS dependency, no third‑party seeing your schedules unless you explicitly choose otherwise. Three deployment options, written for procurement and IT teams.

01 · Deployment options

Three deployments. Same engine. You choose where it runs.

Three equally-weighted isometric panels: Local install (laptop), Private cloud (BYO Azure), and Shareable URL (link icon) — same engine, three runtimes
Default

Local install

Server runs on localhost. Browser opens to 127.0.0.1:8000. No outbound network calls in normal operation. Best for sensitive schemes and IT environments where data must not leave the machine. Mac and Windows supported.

Optional

Private cloud (BYO Azure)

We help you provision Risk Studio into your Azure subscription. Your IT team holds the keys, manages the identities, and controls network egress. SOMA never has standing access to the environment.

Optional

Shareable cloud reports

Published HTML dashboards on a custom subdomain. Read‑only public URLs (or signed‑access if you prefer). The reports never include source data — only computed outputs (S‑curves, tornados, P‑values, narrative).

02 · Data handling

What data we touch, where it lives, what we send.

Local‑first means most customers' data never leaves their machine.

QuestionAnswer
What data we process XER schedule files, risk register CSVs / Excel sheets, correlation matrices, Safran exports (when you use Safran alongside Risk Studio), and the configuration files Risk Studio writes per scheme.
Where it lives By default, in a local directory on your machine. Under BYO‑Azure, in storage you provision under your subscription. Under SOMA‑managed, in a UK‑region cloud environment under a signed data‑processing agreement.
What we send back to SOMA Nothing, unless you opt in to anonymous usage telemetry — and that's off by default. The only outbound network call Risk Studio ever makes is the licence check against our HMAC‑signed entitlement endpoint, which carries only a hashed licence identifier.
Encryption at rest Filesystem‑level via your OS — we recommend FileVault on macOS, BitLocker on Windows. For BYO‑Azure, choose Azure‑managed keys or your own Customer‑Managed Key (CMK). For SOMA‑managed, Azure‑managed keys by default.
Encryption in transit Shareable cloud reports served over HTTPS with TLS 1.2+. Local install talks to localhost only — no transit. BYO‑Azure inherits your tenancy's network policies.
Data retention & deletion You control retention on local install and BYO‑Azure deployments. For SOMA‑managed environments and shareable cloud reports, default retention is the contracted term plus six months for audit; we delete on written request inside thirty days at any other point.
03 · Audit & compliance

What we test, what we're certified for, what's in progress.

Honest status — we don't bluff certifications we haven't earned.

HMAC-chained audit log shown as five interlocking hexagonal runs, each carrying a short hash and a dependency arc to the previous run
  • WCAG 2.2 AA conformant — the V0.33 a11y pass closed the four procurement‑floor WCAG blockers (1.1.1, 1.3.1, 2.5.8, 3.3.1). UI is tested with axe and screen‑reader walkthroughs on every release.
  • 2,690+ automated regression tests — run on every commit. Zero audit errors against the canonical test register. The full test count and pass/fail breakdown is available on request for procurement teams.
  • HMAC‑chained audit log — every action, every run, every user identity, signed and chained. Per‑run cryptographic hashes underpin byte‑identical replay.
  • Path‑traversal hardening — V0.32 closed the path‑traversal cluster (CVSS 8.1 / 6.5 / 6.5 / 7.7) with comprehensive boundary tests. Formula‑injection protections shipped in the same release.
  • Content Security Policy + HSTS — strict CSP on shareable cloud reports, HSTS preload, Content‑Disposition encoding, rate limiting, host validation, CSRF tokens.
  • Penetration testing — internal pen test cadence; external third‑party pen test on a per‑engagement basis for SOMA‑managed deployments at customer request.

Certification status — honest

Cyber Essentials.

In progress for FY26. Please ask for current status when you scope the engagement.

ISO 27001.

On the FY27 roadmap. We are working to the standard internally today; formal certification is queued, not earned.

SOC 2.

Not pursued. SOC 2 is a US‑centric standard and our customer base is UK‑based; we'd rather invest in ISO 27001 and Cyber Essentials. If SOC 2 is a hard procurement requirement for your engagement, talk to us early — we won't pretend it's coming if it isn't.

GDPR / UK Data Protection Act 2018.

SOMA Project Controls acts as a data processor when running schemes on your behalf. A standard DPA template is available on request and signed at engagement start. We've designed Risk Studio so that for the local install case, no personal data flows to SOMA at all — the simplest defensible posture is the default.

04 · Incident response

If we find something, you hear about it in a working day.

If we discover a security issue affecting Risk Studio — whether it's a vulnerability we've patched, a third‑party advisory we've inherited, or an active incident — we notify customers within one working day. We tell you what we know, what we're doing, and when you'll next hear from us.

Reporting a security issue: [email protected] with the subject prefix [SECURITY]. We acknowledge receipt within four working hours during UK business hours and start a triage within one working day. Coordinated disclosure: we will not publish details until you (the affected customer) have had a reasonable window to update.

For procurement

One signed page for your procurement file.

A signed, dated security summary covering deployment options, certification status, the DPA template, and the incident response path. Drop into your procurement pack as is.