Rakenne Trust Center

AI-powered document workflows for compliance and legal teams.

Rakenne is a multi-tenant SaaS platform that lets domain experts define document-elaboration workflows and collaborate with an LLM agent to produce structured, audit-ready output.

privacy@rakenne.app Privacy Policy

Welcome to Rakenne's Trust Center. We are actively building toward SOC 2 and ISO/IEC 27001 certification. Explore our security controls, compliance posture, resources, and subprocessor list below.

Compliance

SOC 2 In progress

ISO/IEC 27001 In progress

Data Processing Agreement (DPA)

Terms of Usage

Shared Responsibility Matrix

Unique production database authentication enforced

Encryption key access restricted

Data encrypted in transit and at rest

Role-based access control enforced

Multi-factor authentication required

Employee offboarding procedures established

Tenant and project isolation enforced

Code review required for all changes

Vulnerability scanning in CI pipeline

Google Cloud Platform Cloud infrastructure

United States

Google Cloud AI (Gemini) AI inference

Google Cloud regions (US or EU)

Stripe Payment processing

Global (EU data centers)

Controls

Security and compliance controls implemented across the Rakenne platform, adapted from SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 Annex A.

Unique production database authentication enforced

Encryption key access restricted to authorized personnel

Unique account authentication enforced for all systems

Data encrypted in transit using TLS

Data encrypted at rest on all storage volumes

Secrets stored in managed cloud secret manager

Network access restricted via firewall rules and IAM

Production infrastructure provisioned via Infrastructure as Code

Load balancer with TLS termination and DDoS mitigation

Automated backups with defined retention policies

Backup restore tests performed periodically

Cloud provider regions selected for data residency

Production environment separated from development and staging

DNS managed through cloud provider with DNSSEC support

Centralized logging for infrastructure events

Alerting for availability and performance anomalies

Cloud IAM with least-privilege access policies

SSH and admin access restricted to authorized staff

Automated OS patching via managed services

Cloud provider SOC 2 and ISO 27001 certifications verified

Role-based access control enforced across all systems

Multi-factor authentication required for internal accounts

Employee offboarding with same-day access revocation

Quarterly access reviews for production and critical SaaS

Least-privilege principle applied to all role assignments

Password manager required for all credentials

Laptop encryption and screen lock enforced via MDM

Portable media encrypted when used

Asset inventory maintained for production systems

Asset disposal procedures established

Acceptable use policy for information assets

Security awareness and onboarding for all staff

Staff access to customer data logged and restricted

SSO enforced for critical internal systems

Tenant and project isolation enforced at filesystem and process level

Code review required for all production changes

Automated vulnerability and dependency scanning in CI

Protected branches with required status checks

Deployments only via CI/CD pipeline, not from local machines

JWT authentication on all HTTP routes and WebSocket upgrades

Workspace path validation prevents path traversal attacks

API keys encrypted at rest, decrypted only at agent spawn

Per-project agent processes with strict workspace boundaries

No customer data used for model training

Environment separation between development, staging, and production

Control self-assessments conducted periodically

Incident response procedures documented and maintained

Continuity and disaster recovery plans established

Continuity and disaster recovery plans tested periodically

Change management aligned with Git and CI/CD workflows

Vendor management and periodic security reviews

Risk register maintained with likelihood, impact, and treatment

Information security policy approved by management

Statement of Applicability (SoA) maintained and mapped to SOC 2

Internal audit and management review conducted annually

On-call rotation with documented escalation procedures

Security-relevant events logged and monitored

Personal data breach notification procedures in place

Access provisioning and deprovisioning procedures documented

Data classification and ownership established

Shared responsibility model documented for customers

Policy review and approval cycle established

Monthly OS and dependency patching schedule

Compliance calendar for quarterly and annual activities

Data retention procedures established and documented

Customer data deleted upon account closure

Data classification policy established for all data types

Data Processing Agreement (DPA) available for all customers

Standard Contractual Clauses (SCCs) for EU data transfers

Subprocessor register maintained and publicly available

Customer notification for material subprocessor changes

Data subject rights support (access, export, deletion)

LLM providers configured to not train on customer data

Minimum-context principle for AI API calls

BYOK option shifts LLM provider relationship to customer

Rakenne Trust Center

Compliance

Resources

Controls

Infrastructure security

Organizational security

Product security

Subprocessors

Resources

Security Overview

Compliance Roadmap

Privacy Overview

Legal Documents

Data Processing Agreement

Terms of Usage

IP Compliance

Shared Responsibility Matrix

Controls

Infrastructure security

Organizational security

Product security

Internal security procedures

Data and privacy

Subprocessors

Infrastructure & Hosting

AI Processing

Email & Communications

Billing & Subscription Management

Analytics & Telemetry

Ready to let your expertise drive the workflow?