Skip to main content

Trust & Security

We believe: Digital security starts with mindset – and shows in the details.
Here’s how we handle domains, encryption, and infrastructure protection – clearly, openly, and responsibly.

RiKuWe Domains

Our main domain is rikuwe.com. All public communication runs through this domain. We also operate a few additional domains like rikuwe.cloud, which are used strictly for technical infrastructure.

For example:

  • Infrastructure components
  • Internal system traffic

These domains are not used for communication and are never used as email senders.

Not sure whether a domain or email address is legitimate? Reach out at security@rikuwe.com.

Official Communication

RiKuWe communicates exclusively via @rikuwe.com.

This applies to:

  • Emails
  • Calendar invitations
  • Support messages
  • Project-related updates

If you receive a message from a different domain, please treat it with caution.

GPG Signatures in Practice

Emails from our team members – such as technical discussions, project updates, or security-related messages – are usually GPG signed, even if they aren’t encrypted.

Exceptions: Automated emails (e.g. invoices) or occasional mobile replies may be unsigned and unencrypted.

If you receive sensitive content without a signature: When in doubt, verify by phone or in person.
That’s the safest way to rule out domain spoofing.

GPG Keys & Verification

For sensitive or confidential communication, we use GPG encryption.
You can find our team’s public keys on the About Us page.

For reporting security issues, you can also use our dedicated key:

Technical Safeguards

Our website and systems are built to be reliable even in critical situations.

  • TLS 1.3 with HSTS Preloading
  • Hardened HTTP headers (CSP, Referrer-Policy, etc.)
  • A+ rating (135 out of 100 points) on Mozilla Observatory
  • A+ rating on SSL Labs
  • 10/10 privacy score on Webbkoll
  • No trackers, no ad cookies – see our Privacy Policy

All critical infrastructure is operated by us directly: monitoring, CI/CD, analytics, calendar, and video meetings included.

Reporting Security Issues

We appreciate reports of potential vulnerabilities.

We handle incoming reports responsibly and will keep you updated on the process.

Frequently Asked Questions

What is RiKuWe’s official domain?

Our official domain is rikuwe.com. All public content, emails, and signatures originate from this domain. Other domains like rikuwe.cloud are used strictly for technical purposes – never for communication.

How can I tell if an email is really from RiKuWe?

All official emails come from @rikuwe.com. If a message comes from a different domain or seems suspicious, contact us at security@rikuwe.com.

Are emails from RiKuWe signed?

Yes. Emails from our team are usually GPG signed, even if not encrypted. Automated messages (e.g. invoices) or mobile replies may be unsigned. For sensitive content without a signature, we recommend verifying by phone or in person.

Why does RiKuWe use GPG?

For secure communication – such as reporting vulnerabilities or sending encrypted information. Our public keys are listed on the About Us page.

Which other domains belong to RiKuWe?

Besides rikuwe.com, we use domains like rikuwe.cloud – but only for infrastructure. These are never used as sender domains or for public communication.

Does RiKuWe use cookies or trackers?

No. Our website is free of ad cookies and third-party tracking. We use self-hosted Plausible Analytics – lightweight and privacy-friendly.

How can I report a vulnerability?

Send us an email at security@rikuwe.com – ideally encrypted using our GPG key. You can also find our full disclosure policy at /.well-known/security.txt.

Our Principle

Good security stays invisible – but it’s always there.
And when it becomes visible, it should do so in the right way: clearly, respectfully, and for a reason.

Questions or feedback?
Contact us

Last updated on by Thomas Kugi
Version: v1.13.1