Security at Riot

With great power comes great responsibility. At Riot, we take our security very seriously.


Riot has always been about making sure employees are ready for cyberattacks. Because we use our own service internally, any employee at Riot has to go through:

  • A complete cybersecurity awareness program every year, to know the challenges they might face.
  • At least one complex phishing attack every 3 months, to keep them on their toes.

On top of that, we:

  • Provide a password manager to all employees, and make sure they use it everywhere.
  • Ask to reduce their digital footprint, especially on LinkedIn.
  • Warn about new data breaches impacting the team, in real time.
  • Force 2-factor authentication everywhere we can.
  • Use encrypted Macbooks only, because they are less prone to attacks.
  • Follow a rigorous onboarding/offboarding checklist.


Our security is as good as the security of our least careful vendor. That’s why we carefully audit every vendor we pick, and select vendors that take security as seriously as we do. What we look for when we select a vendor includes:

  • SSO, or at least 2-factor authentication feature. Or worst case scenario multi-users feature, so we don’t have to share accounts internally.
  • A very strict security policy.


No codebase is perfect, but we’re trying very hard to keep it bulletproof.

  • Any code that goes into production has been reviewed and tested at least 3 times.
  • The production database is not shared internally, and only one person has access to it.


If you see something, say something. We have a cybersecurity hotline that you can reach 24/7 at

You will receive a compensatory reward, depending on the severity of what you’re reporting, but only if you follow 2 simple rules:

  • Report to Riot before reporting publicly.
  • Report the issue without exploiting it.

This policy has been updated last on May 25th, 2021. If you think Riot can improve on something, please let us know.