Security

Local‑first. Your data, your control.

Risk Studio runs on your hardware by default. No cloud upload, no SaaS dependency, no third‑party seeing your schedules unless you explicitly choose otherwise. Three deployment options, written for procurement and IT teams.

01 · Deployment options

Three deployments. Same engine. You choose where it runs.

Three equally-weighted isometric panels: Local install (laptop), Private cloud (BYO Azure), and Shareable URL (link icon) — same engine, three runtimes
Default

Local install

Server runs on localhost. Browser opens to 127.0.0.1:8000. No outbound network calls in normal operation. Best for sensitive schemes and IT environments where data must not leave the machine. Mac and Windows supported.

Optional

Private cloud (BYO Azure)

We help you provision Risk Studio into your Azure subscription. Your IT team holds the keys, manages the identities, and controls network egress. SOMA never has standing access to the environment.

Optional

Shareable cloud reports

Published HTML dashboards on a custom subdomain. Read‑only public URLs (or signed‑access if you prefer). The reports never include source data — only computed outputs (S‑curves, tornados, P‑values, narrative).

02 · Data handling

What data we touch, where it lives, what we send.

Local‑first means most customers' data never leaves their machine.

QuestionAnswer
What data we processXER schedule files, risk register CSVs / Excel sheets, correlation matrices, Safran exports (when you use Safran alongside Risk Studio), and the configuration files Risk Studio writes per scheme.
Where it livesBy default, in a local directory on your machine. Under BYO‑Azure, in storage you provision under your subscription. Under SOMA‑managed, in a UK‑region cloud environment under a signed data‑processing agreement.
What we send back to SOMANothing, unless you opt in to anonymous usage telemetry — and that's off by default. The only outbound network call Risk Studio ever makes is the licence check against our HMAC‑signed entitlement endpoint, which carries only a hashed licence identifier.
Encryption at restFilesystem‑level via your OS — we recommend FileVault on macOS, BitLocker on Windows. For BYO‑Azure, choose Azure‑managed keys or your own Customer‑Managed Key (CMK). For SOMA‑managed, Azure‑managed keys by default.
Encryption in transitShareable cloud reports served over HTTPS with TLS 1.2+. Local install talks to localhost only — no transit. BYO‑Azure inherits your tenancy's network policies.
Data retention & deletionYou control retention on local install and BYO‑Azure deployments. For SOMA‑managed environments and shareable cloud reports, default retention is the contracted term plus six months for audit; we delete on written request inside thirty days at any other point.
03 · Audit & compliance

What we test, what we're certified for, what's in progress.

Honest status — we don't bluff certifications we haven't earned.

HMAC-chained audit log shown as five interlocking hexagonal runs, each carrying a short hash and a dependency arc to the previous run
  • WCAG 2.2 AA conformant — the V0.33 a11y pass closed the four procurement‑floor WCAG blockers (1.1.1, 1.3.1, 2.5.8, 3.3.1). UI is tested with axe and screen‑reader walkthroughs on every release.
  • 7,000+ automated regression tests — run on every commit. Zero audit errors against the canonical test register. The full test count and pass/fail breakdown is available on request for procurement teams.
  • HMAC‑chained audit log — every action, every run, every user identity, signed and chained. Per‑run cryptographic hashes underpin byte‑identical replay.
  • Security hardening — comprehensive boundary testing across the application, including path‑traversal and formula‑injection protections.
  • Content Security Policy + HSTS — strict CSP on shareable cloud reports, HSTS preload, Content‑Disposition encoding, rate limiting, host validation, CSRF tokens.
  • Penetration testing — internal pen test cadence; external third‑party pen test on a per‑engagement basis for SOMA‑managed deployments at customer request.

Certification status — honest

Formal certifications.

Formal certifications are on our roadmap; current status is available on request when you scope the engagement.

GDPR / UK Data Protection Act 2018.

SOMA Project Controls acts as a data processor when running schemes on your behalf. A standard DPA template is available on request and signed at engagement start. We've designed Risk Studio so that for the local install case, no personal data flows to SOMA at all — the simplest defensible posture is the default.

04 · Incident response

If we find something, you hear about it in a working day.

If we discover a security issue affecting Risk Studio — whether it's a vulnerability we've patched, a third‑party advisory we've inherited, or an active incident — we notify customers within one working day. We tell you what we know, what we're doing, and when you'll next hear from us.

Reporting a security issue: hello@somaprojectcontrols.com with the subject prefix [SECURITY]. We acknowledge receipt within four working hours during UK business hours and start a triage within one working day. Coordinated disclosure: we will not publish details until you (the affected customer) have had a reasonable window to update.

For procurement

One signed page for your procurement file.

A signed, dated security summary covering deployment options, certification status, the DPA template, and the incident response path. Drop into your procurement pack as is.