Tenant-bound access
Each company runs in its own workspace, and authenticated users are checked against workspace membership before protected actions are allowed.
Security
RuleDesk keeps pricing and approval enforcement deterministic, isolates workspaces, records commercial change history, and limits who can act on sensitive workflow steps.
Each company runs in its own workspace, and authenticated users are checked against workspace membership before protected actions are allowed.
AI helps with rule authoring, search, and approval briefs. Live pricing, routing, and blocking decisions are evaluated locally from stored structured rules.
Role-based approval actions, delegation, reassignment, stale approval invalidation, quote validity windows, and final snapshot locking help ensure the sent quote matches the approved revision.
RuleDesk records quote changes, approval decisions, lifecycle changes, and buyer acceptance events so teams can reconstruct what happened and when.
Buyer-facing quote links can capture typed acceptance with name, signature text, timestamp, and quote status update, which helps teams keep a clean commercial record.
The app uses ASP.NET Identity, strong password defaults (12+ characters with mixed case, digit, and symbol), anti-forgery validation for MVC forms, and role-gated sensitive actions across catalog, rules, and approvals.
All traffic uses HTTPS (HSTS enforced in production). Workspace data is encrypted at rest by the underlying database storage. Passwords are hashed with PBKDF2.
Buyer quote pages, accept submissions, and signup are rate-limited per IP to prevent token enumeration and abuse. AI rule authoring, quote drafting, and semantic policy search are rate-limited per workspace to bound cost and prevent runaway calls.
When a buyer accepts a quote, RuleDesk records the typed name, signature text, timestamp, origin IP, and any PO / billing / tax-ID fields they provide. Audit events and acceptance records are retained for the life of the workspace plus 7 years.
AI helps reps and admins phrase rules in plain English, but the deterministic rule engine — not the AI — decides whether a deal blocks, requires approval, or applies a clause. Workspace AI usage is metered and capped to keep costs predictable.
RuleDesk uses a small set of subprocessors (cloud hosting, transactional email, OpenAI for advisory copilot flows). The current list and what each one receives is documented in the Privacy Policy. We commit to 30 days' notice before adding new subprocessors that materially expand scope.
What we don't claim
We don't yet have SOC 2 Type II, ISO 27001, or HIPAA. We don't currently offer a contractual uptime SLA on Starter or Growth plans. If your team needs these for procurement, talk to us — Scale customers can negotiate an SLA-backed support agreement, and we have a pragmatic path toward SOC 2 once volume justifies the audit cost.
Email security@ruledesk.ai. We respond within 2 business days and treat reports confidentially. We don't run a paid bug-bounty program yet but we will publicly credit researchers who help us improve.