Risk Assessment Policy
Status: ACTIVE Owner: Daan ([email protected]) Effective: 2026-04-20 Last reviewed: 2026-04-20 Next review: 2026-10-20
Purpose
Define how rotor.sh identifies, assesses, prioritizes, and mitigates risks to the confidentiality, integrity, and availability of customer data and platform services.
Scope
All risks affecting rotor.sh production systems, customer data, and business operations.
Risk Assessment Cadence
| Activity | Frequency | Owner |
|---|---|---|
| Full risk review | Quarterly | Daan |
| New feature risk assessment | Per feature (in PR description) | Feature author |
| Vendor risk review | Annual | Daan |
| Penetration test | Annual | External firm |
Risk Categories
1. Infrastructure Risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Redis maxmemory eviction causing queue corruption | Low (guarded by assertNoEviction) | High | FND-07 startup guard; Railway noeviction confirmed (Phase 0) |
| Railway service outage | Medium | High | Railway 99.9% SLA; BullMQ persists jobs; worker auto-restarts |
| Supabase outage | Low | High | Supabase 99.9% SLA; read-through cache on resolver; jobs still queue in Redis |
| Fly.io managed worker failure | Medium | Medium (Enterprise only) | Autoscaler retries provisioning; BullMQ job retries with backoff |
2. Security Risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Credential leak (API key, Railway secret) | Low | Critical | Railway vault; key rotation on detection; audit log; Sentry alerts |
| DDoS on public API | Medium | High | Railway load balancer; rate limiting (manual Redis INCR+PEXPIRE); quota middleware |
| SSRF via callback URLs | Low | High | validateCallbackUrl DNS check; SSRF guard in delivery worker |
| Tenant cross-contamination (Redis prefix escape) | Very Low | Critical | BullMQ prefix audit (audit-prefix.sh); single source of truth in prefix.ts |
| PII leakage in job payloads | Medium | High | Guardrail Engine PII redaction; configurable per-workspace |
| Compromised LLM judge output | Low | Medium | Brand-tone circuit breaker fails open (safe default); humans approve |
| Billing abuse / quota circumvention | Medium | Medium | Per-plan hard caps at API write time; Stripe reconciler detects drift |
3. Compliance Risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| SOC 2 observation window gap (Railway manual evidence) | Medium | Medium | vanta-manual-evidence.md monthly cadence |
| GDPR data subject request beyond 30-day SLA | Low | Medium | Manual process documented in data-retention-policy.md |
| API misuse / AUP violation | Medium | Low-Medium | Audit logs; kill-switch (BIL-06); AUP enforcement process |
4. Operational Risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Stalled-job duplication (at-least-once semantics) | Medium | Medium | SDK SIGTERM drain; idempotency keys; history archiver dedup |
| BullMQ Lua script version drift | Low | Medium | peerDep pin >=5.73 <6; version check at startup |
| Claude Code skill distribution drift (Anthropic registry change) | Medium | Low | Fall back to local skill install; monitor Claude Code releases |
Risk Acceptance
Risks rated Low × Low may be accepted without further mitigation. All other risks require a documented mitigation plan and owner.
Accepted risks must be documented in the Vanta risk register with:
- Risk description
- Current mitigation
- Residual risk level
- Acceptance date and owner
Review Cadence
Reviewed quarterly. Next full review: 2026-07-20.