Compliance
Rime is designed to help New Zealand and Australian organisations meet their regulatory obligations for data handling, privacy, and security. This page describes how Rime’s features map to specific compliance frameworks and what controls are in place.
NZ Privacy Act 2020
The Privacy Act 2020 governs how organisations in New Zealand collect, store, use, and disclose personal information. Rime is designed to support compliance across the Act’s Information Privacy Principles (IPPs):
Collection and purpose (IPPs 1-4)
Rime does not determine what data your organisation collects — that is a business decision. However, Rime helps you manage collected data responsibly:
- Data classification — the data classification system lets you label every column with its sensitivity level and PII type, creating a clear inventory of what personal information you hold and where it resides
- PII detection — automatic PII scanning identifies personal information that may not have been deliberately collected, including New Zealand-specific identifiers like IRD numbers and NHI numbers
Storage and security (IPP 5)
The Act requires organisations to protect personal information against loss, unauthorised access, and misuse:
- Masked by default — Rime’s masked-by-default model ensures that personal information is not accessible until explicitly classified and unmasked for specific roles. This is the strongest default posture available
- Encryption — all data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM for credentials, Snowflake-native encryption for warehouse data)
- Tenant isolation — database-per-tenant architecture ensures your data is never co-mingled with another organisation’s data
- Access controls — role-based masking policies restrict data visibility to authorised roles only
- Audit logging — comprehensive audit logs track all access to data and configuration changes
Access and correction (IPPs 6-7)
Individuals have the right to access and correct their personal information:
- Data inventory — the classification column browser provides a complete inventory of where personal information is stored, making it straightforward to respond to access requests
- Access matrix — the compliance reporting access matrix shows exactly who can see which data, supporting internal access request workflows
Retention and deletion (IPP 9)
Organisations must not keep personal information longer than necessary:
- Right to deletion — Rime’s database-per-tenant architecture simplifies bulk deletion. For individual record deletion, the data classification inventory identifies all locations where a person’s data may reside
- Tenant deletion — dropping the tenant database permanently removes all associated data with no residual fragments
Disclosure (IPPs 10-11)
When disclosing personal information to third parties or overseas:
- Data residency — Rime can be deployed in NZ-region infrastructure to keep all platform data within New Zealand borders
- Masking policies — data shared with downstream consumers through Snowflake is governed by the same masking policies, ensuring that disclosure is controlled at the column level
Breach notification
The Privacy Act 2020 requires notification of privacy breaches that pose a risk of serious harm:
- Audit logs provide a forensic trail for investigating the scope and timeline of a breach
- Access matrix reports show which data was accessible to compromised accounts
- PII classification identifies which personal information types were affected
Rime does not automate breach notification itself, but it provides the data needed to assess a breach and prepare notifications to the Privacy Commissioner and affected individuals.
Australian Privacy Act
For organisations handling data from Australian individuals or operating across the Tasman:
- Australian Privacy Principles (APPs) — the controls described above for the NZ Privacy Act support compliance with the Australian Privacy Principles, particularly APPs 1 (open and transparent management), 6 (use or disclosure), and 11 (security of personal information)
- Cross-border data handling — if your Snowflake account is in an Australian region and Rime is deployed in the NZ region (or vice versa), data crosses national borders. The data residency options let you align Rime’s deployment with your data residency requirements. Snowflake’s region is independent of Rime’s region
- Notifiable Data Breaches (NDB) scheme — the same audit and classification data that supports NZ breach notification also supports reporting under Australia’s NDB scheme
NZISM (NZ Information Security Manual)
The NZISM provides information security guidance for New Zealand government agencies. Rime is aligned with key NZISM controls:
Access control (Section 16)
- Authentication — SSO via SAML 2.0 and OIDC integrates with government identity providers. MFA is enforced through the IdP
- Role-based access — masking policies restrict data access to authorised roles. The access matrix provides visibility into who can access what
- Session management — sessions expire after inactivity and can be revoked by administrators
Cryptography (Section 17)
- Encryption in transit — TLS 1.3 for all connections, meeting NZISM requirements for protection of data in transit
- Encryption at rest — AES-256-GCM for credentials and sensitive configuration, meeting NZISM requirements for encryption of data at rest
- Key management — encryption keys are derived from a master secret with support for rotation
System management (Section 12)
- Audit logging — all actions are logged with user identification, timestamps, and outcome. Logs are retained per tier (up to 1 year for Business Critical)
- Change management — infrastructure changes go through a plan/apply workflow with preview and approval
- Vulnerability management — container images are scanned for vulnerabilities before deployment
Network security (Section 18)
- Network segmentation — Rime uses layered VPC architecture with public, application, and database subnets
- Egress control — outbound traffic is restricted to known destinations
- DDoS protection — AWS Shield and WAF protect against network and application-layer attacks
Physical security
Rime runs on AWS or Azure infrastructure. Physical security of data centres is managed by the cloud provider. Both AWS and Azure NZ regions hold relevant certifications (ISO 27001, SOC 2, and others).
SOC 2 readiness
Rime’s controls align with the SOC 2 Trust Services Criteria. While Rime has not yet completed a formal SOC 2 Type II audit, the following controls map to SOC 2 requirements:
| SOC 2 criterion | Rime control |
|---|---|
| CC6.1 — Logical access | Authentication (SSO, MFA via IdP), role-based masking |
| CC6.2 — Credentials | Encryption (AES-256-GCM credential storage), Argon2 password hashing |
| CC6.3 — Access removal | Session revocation, role-based access changes logged in audit |
| CC6.6 — System boundaries | Network security (VPC isolation, WAF, egress controls) |
| CC7.1 — Monitoring | Audit logging, alert rules, anomaly detection |
| CC7.2 — Incident detection | WAF logging, failed auth tracking, anomaly highlights in compliance reports |
| CC8.1 — Change management | Plan/apply infrastructure workflow, pipeline versioning |
| CC9.1 — Risk mitigation | Masked by default, PII detection, data classification |
A formal SOC 2 audit is planned. Contact Rime for the current timeline and a controls mapping document.
Data residency
Rime supports deployment in New Zealand and Australian cloud regions:
| Requirement | Solution |
|---|---|
| All platform data in NZ | Deploy Rime in the NZ region; Rime’s databases and storage remain in NZ |
| All warehouse data in NZ | Use a Snowflake account in the NZ or Sydney region |
| All staging data in NZ | Configure S3 buckets in the ap-southeast-2 region |
| Cross-border prohibition | Deploy Rime and Snowflake in the same NZ region |
Data residency applies to data at rest. Data in transit between Rime and Snowflake may traverse international network infrastructure depending on routing, but is always encrypted with TLS 1.3.
Security assessments
Rime supports customer security assessments:
- Security questionnaire — Rime provides pre-filled responses for common security questionnaires (SIG Lite, CAIQ, custom). Contact Rime to request a completed questionnaire
- Architecture review — Rime’s team is available for architecture review calls during procurement. These are standard for enterprise customers and do not require a separate engagement
Next steps
- Review the specific controls referenced above:
- Masked by Default and Data Classification for data governance
- Authentication and Encryption for access and cryptography
- Tenant Isolation and Network Security for infrastructure security
- Audit Logging and Compliance Reporting for monitoring and reporting
- Contact Rime for a security questionnaire or SOC 2 controls mapping document