Security

Rakenne is designed for teams who handle high-stakes, regulated content — from ISO 27001 and SOC 2 documentation to internal policies and regulatory filings. This page explains how we secure the platform, how data flows through our architecture, and what you are responsible for as a customer.

Architecture & Data Flow

Rakenne is a multi-tenant SaaS application with strict tenant and project isolation:

  • Isolated workspaces — each tenant and project has its own filesystem workspace. Workspaces are segregated at the OS level and never share document content.
  • Per-project AI agent — for each active project, the backend spawns a dedicated Rakenne agent process. The agent operates only on the workspace files it is assigned.
  • Stateless web frontend — the browser UI communicates with the backend over HTTPS and WebSockets. All stateful operations (document storage, skills, logs) happen in the backend and workspace layer.
  • Managed cloud infrastructure — the platform runs on reputable cloud providers with encryption at rest and in transit, robust IAM, and network-level protections.

When you or your team members use Rakenne:

  1. You sign in to the web app and access a tenant/project workspace.
  2. Your browser sends prompts, workflow definitions, and document fragments to the backend over TLS.
  3. The backend writes and reads files within your workspace and forwards carefully scoped context to the per-project AI agent.
  4. For AI operations, the agent calls Google Gemini (or your own LLM provider via Bring Your Own Key) over encrypted channels, receives responses, and writes structured outputs back into your workspace.

We do not train general-purpose models on your documents or prompts.

Identity, Access & Tenant Isolation

We apply multiple layers of access control:

  • Authentication & SSO
    • Support for modern authentication flows with enforced multi-factor authentication (MFA) on internal administrative accounts.
    • Session management that balances usability with security (idle timeouts, revocation on logout).
  • Role-based access control
    • Access to tenants, projects, and workspaces is governed by roles and membership.
    • Only authorized users in your organization can access your workspaces.
  • Staff access
    • Rakenne staff access to production systems is limited to a small set of roles based on least privilege.
    • Access is granted and revoked through documented procedures with periodic reviews.
  • Tenant & project isolation
    • Hard separation of workspaces on disk and in process-level access.
    • No shared document stores where data from one tenant can accidentally appear in another tenant’s workspace.

Data Protection & Encryption

We rely on strong defaults from our infrastructure providers and add our own safeguards:

  • Encryption in transit
    • All connections to the web app and APIs use TLS.
    • Connections to third-party APIs (LLM providers, payment processors, email) are encrypted.
  • Encryption at rest
    • Application data, including workspaces and databases, is stored on encrypted volumes.
    • Secrets (API keys, tokens) are stored using managed secret storage in our cloud provider.
  • Backups & disaster recovery
    • Regular backups of critical data with retention policies that balance recoverability and data minimization.
    • Periodic restore tests to validate that backups are usable.

Application Security & SDLC

Security is embedded into our software development lifecycle:

  • Source control & reviews
    • All changes go through pull requests with human review.
    • Protected branches and required checks help prevent unreviewed code from reaching production.
  • CI/CD pipeline
    • Automated tests run on each change.
    • Deployments to production are performed via CI/CD pipelines, not from individual laptops.
  • Dependency & vulnerability management
    • Regular updates of dependencies.
    • Use of vulnerability scanning and patching for both application dependencies and underlying infrastructure.
  • Environment separation
    • Separation between development, staging, and production environments.
    • Production data is never used in development environments.

Monitoring, Logging & Incident Response

We monitor the platform to detect issues early and respond effectively:

  • Monitoring & alerting
    • Infrastructure and application metrics are monitored to detect availability and performance issues.
    • Key security-relevant events (authentication failures, access anomalies) are logged.
  • Logging
    • Logs are aggregated in a centralized logging system with access controls.
    • Access to logs containing personal data is restricted to authorized staff.
  • Incident response
    • Documented incident response procedures covering detection, triage, containment, remediation, and post-incident review.
    • Where an incident meets the threshold of a personal data breach, we will notify affected customers without undue delay, consistent with our contractual and legal obligations.

Shared Responsibility Model

Security and compliance are a shared effort between Rakenne, our infrastructure providers, and you as the customer:

  • Our responsibilities
    • Secure operation of the Rakenne platform and production infrastructure.
    • Tenant isolation, access control mechanisms, logging, backups, and recovery.
    • Selection and oversight of subprocessors with appropriate contractual and technical safeguards.
  • Your responsibilities (CUECs)
    • Managing who in your organization has access to your tenant and workspaces.
    • Enforcing strong authentication for your users (for example, SSO and MFA).
    • Configuring retention periods, workspace structures, and data exports according to your policies.
    • Reviewing AI-generated outputs and ensuring they are appropriate for your use cases.
    • Managing your own contracts and configurations with LLM providers when you use Bring Your Own Key.
  • Cloud & LLM providers’ responsibilities
    • Operating the underlying compute, storage, networking, and AI inference infrastructure.
    • Implementing their own technical and organizational security measures, as described in their documentation and reports.

Questions & Security Contact

If you have security or compliance questions, need more detail for a security questionnaire, or want to report a potential security issue, contact us at:

For information on our compliance roadmap (SOC 2, ISO/IEC 27001) and legal commitments (DPA, subprocessors), visit the other sections of the Trust Center.

Ready to let your expertise drive the workflow?

Stop wrestling with rigid templates and generic chatbots. Describe your process, let the agent handle the rest.

Get Started Free — No Sign-Up