Rakenne runs on cloud infrastructure and third-party services that maintain their own security certifications. This page explains which providers we rely on, what certifications they hold, and how security responsibilities are divided between providers, Rakenne, and you as the customer.
This model is designed to align with SOC 2 Trust Services Criteria (especially Complementary User Entity Controls) and ISO/IEC 27001 Annex A control domains, so it can support your own compliance work.
Provider Certifications
The following providers form the foundation of the Rakenne platform. We collect and review their security reports as part of our vendor management process.
Tier 1 — Core Data Path
These providers directly process or store customer data.
| Provider | Role | Key Certifications |
|---|
| Google Cloud Platform | Application hosting, storage, networking, secrets management, monitoring, logging | SOC 1/2/3 Type II, ISO 27001, ISO 27017, ISO 27018, CSA STAR |
| Google Cloud AI (Gemini) | Default AI inference for skills and workflows | Covered by GCP compliance reports; governed by Google Cloud AI data processing terms |
| Stripe | Payment processing, subscription billing | SOC 2 Type II, PCI DSS Level 1 |
| Mailgun | Transactional email delivery | SOC 2 Type II (Sinch/Mailgun) |
Tier 2 — Supporting Infrastructure
These providers support development, CI/CD, and corporate operations.
| Provider | Role | Key Certifications |
|---|
| GitHub | Source control, CI/CD pipelines, code review | SOC 2 Type II, ISO 27001 |
| Private Email (Namecheap) | Corporate email hosting | Security documentation available on request |
Bring Your Own Key (BYOK) Providers
When you configure your own API key for an LLM provider, that provider acts under your agreement and is not our subprocessor. You are responsible for evaluating their security posture.
| Provider | Available via BYOK | Certifications to Request |
|---|
| Anthropic (Claude) | Yes | SOC 2 Type II, security documentation |
| OpenAI | Yes | SOC 2 Type II, ISO 27001 |
| Google (Gemini) | Yes | Covered by GCP reports above |
Shared Responsibility Matrix
The matrix below maps security responsibilities across three parties for each control area. Use it to understand what Rakenne covers, what our providers cover, and what you need to handle on your side.
Physical & Network Security
| Control Area | Provider | Rakenne | Customer |
|---|
| Physical security (data centers, environmental controls) | GCP operates and secures all data center facilities, including physical access, surveillance, and environmental protections. | Not applicable — Rakenne does not operate physical facilities. | Secure your own offices and endpoints. |
| Network security (backbone, DDoS, perimeter) | GCP provides network backbone, hypervisor isolation, and DDoS mitigation. | Configures Cloud Armor WAF rules, firewall policies, VPC settings, and TLS termination. | Protect your own network when accessing Rakenne; do not disable TLS or certificate validation. |
Compute & Infrastructure
| Control Area | Provider | Rakenne | Customer |
|---|
| Compute & OS security | GCP provides Container-Optimized OS base images and hypervisor-level patching. | Manages OS patching of compute instances, Docker image hardening, and runtime configuration. | Not applicable. |
| Availability & capacity | GCP provides infrastructure SLAs and regional availability guarantees. | Configures health checks, load balancing, agent process auto-respawn, and capacity monitoring. | Maintain adequate internet connectivity on your side. |
Identity & Access Management
| Control Area | Provider | Rakenne | Customer |
|---|
| Infrastructure access | GCP IAM provides role-based access, audit logging, and MFA enforcement for cloud console access. | Applies least-privilege IAM policies, conducts quarterly access reviews, manages Workload Identity Federation, and follows documented offboarding procedures. | Not applicable. |
| Application access | Google OAuth provides the authentication protocol and credential security. | Issues and validates JWTs, manages session lifecycle, enforces RBAC and tenant-scoped authorization on every request. | Manage who in your organization has access to your tenant. Enforce MFA on your Google accounts. Revoke access for departed employees promptly. |
Data Protection
| Control Area | Provider | Rakenne | Customer |
|---|
| Encryption at rest | GCP encrypts all storage by default (AES-256) and provides KMS. | Applies application-level encryption for sensitive data (API keys via Secret Manager); database stored on encrypted volumes. | Classify data before uploading; do not upload data beyond agreed categories. |
| Encryption in transit | GCP provides TLS on load balancer and inter-service encryption. | Enforces HTTPS-only access, HSTS headers, and WebSocket connections over WSS. | Use a modern, up-to-date browser; do not disable TLS warnings. |
| Tenant & project isolation | GCP provides compute and storage resource isolation at the infrastructure level. | Enforces filesystem workspace isolation per tenant and project, authorization checks on every request, and path traversal prevention. | Do not share credentials across tenants or users. |
Backup, Recovery & Data Lifecycle
| Control Area | Provider | Rakenne | Customer |
|---|
| Backup & disaster recovery | GCP provides storage durability guarantees and snapshot infrastructure. | Manages automated snapshot schedules (with defined retention), restore procedures, and periodic DR testing. | Maintain your own copies of critical output documents if required by your policies. |
| Data retention & deletion | GCP provides storage deletion guarantees; Stripe follows PCI-compliant data lifecycle. | Enforces retention policies, workspace cleanup on project/account deletion, and DPA-defined deletion commitments. | Request deletion when required; understand our retention periods as documented in the Privacy Policy and DPA. |
Monitoring, Logging & Incident Response
| Control Area | Provider | Rakenne | Customer |
|---|
| Logging & monitoring | GCP provides Cloud Logging infrastructure and Cloud Monitoring platform. | Configures application audit logs, uptime checks, alert policies, and anomaly detection. | Report suspected security incidents to us promptly. |
| Incident response | GCP operates infrastructure-level incident response and publishes status page updates. | Operates application-level incident response procedures, customer notification workflows, and root cause analysis. | Designate a security contact. Respond to breach notifications and cooperate in investigations as needed. |
Software Development & Vulnerability Management
| Control Area | Provider | Rakenne | Customer |
|---|
| Change management / SDLC | GitHub provides platform availability and source code integrity. | Enforces PR-based workflows with required reviews, CI/CD checks, protected branches, and no direct production changes. | Not applicable. |
| Vulnerability management | GCP provides infrastructure vulnerability scanning; GitHub provides dependency alerting. | Runs dependency scanning in CI, manages OS patching, and conducts application-level security testing. | Keep your own browsers and operating systems up to date. Report any vulnerabilities you discover to us. |
AI & LLM Processing
| Control Area | Provider | Rakenne | Customer |
|---|
| AI data processing (Rakenne-managed keys) | Google Cloud AI (Gemini) hosts models and processes inference requests under enterprise data terms (no training on customer data). | Scopes context sent to models, enforces no-training contractual terms, manages API keys via Secret Manager. | Understand that document content is sent to the LLM provider for processing. Do not input data beyond agreed classifications. |
| AI data processing (BYOK) | The provider you choose operates under your agreement. | Forwards requests between your workspace and your chosen provider; does not store or inspect model responses beyond your workspace. | Evaluate the LLM provider’s security posture, configure data retention and region settings, and manage your own API key securely. |
Email & Communications
| Control Area | Provider | Rakenne | Customer |
|---|
| Email security | Mailgun provides transactional email delivery with DKIM signing; Private Email hosts corporate mailboxes. | Configures SPF, DKIM, and DMARC (reject policy, 100% enforcement) for all Rakenne domains. | Do not whitelist unknown domains claiming to be Rakenne. Educate your team on Rakenne’s legitimate email addresses (@rakenne.app). |
Payment Processing
| Control Area | Provider | Rakenne | Customer |
|---|
| Payment security | Stripe handles all card data under PCI DSS Level 1 compliance. | Integrates securely (webhook signature verification); never stores full card numbers or CVV codes. | Maintain security of your payment method. Report unauthorized charges promptly. |
Third-Party & Vendor Management
| Control Area | Provider | Rakenne | Customer |
|---|
| Subprocessor oversight | Not applicable. | Maintains a public subprocessor list, evaluates provider security posture, and puts DPAs and contractual safeguards in place. | Review our subprocessor list
. Raise concerns about subprocessor changes within the notification window defined in our DPA. |
How to Use This Matrix
- For your own SOC 2 or ISO 27001 work: The “Customer” column maps to Complementary User Entity Controls (CUECs). Use it to document what your auditor expects you to handle when relying on Rakenne.
- For security questionnaires: Reference specific rows to answer questions about encryption, access control, incident response, and vendor management.
- For internal risk assessments: Use the matrix to identify which controls are inherited from providers, which Rakenne operates, and where your organization has residual responsibility.
Questions
If you need more detail about any row in this matrix, want to request a provider’s SOC 2 or ISO 27001 report, or need supporting documentation for a security review, contact us at privacy@rakenne.app
.