SECURITY MODEL
Ruakiel is built on the principle that the platform should never have access to customer data it cannot protect. Every design decision — from encryption to access control to audit trails — flows from this commitment.
Zero-Knowledge Encryption
Customer data is encrypted with AES-256-GCM before it reaches Firestore. BYOK (Bring Your Own Key) tenants derive their encryption key from a passphrase using Argon2id — Ruakiel never sees the plaintext or the key. Lost passphrase means lost data: this is intentional.
Tenant Isolation
Every Firestore document is scoped under a Tenants/{tenant_id} prefix. Security rules enforce that no request can read or write across tenant boundaries. Repository-layer isolation is validated by cross-tenant negative tests on every CI run.
JWT & RBAC
Permissions are asserted in every JWT. The aud claim is validated on every request. Role-based access control gates every API endpoint — there are no capability-by-convention paths.
Audit Trails
Every agent action, tool call, and approval decision is written to an immutable audit log. Approval workflows support M-of-N quorum strategies — a single operator cannot unilaterally approve sensitive actions.
Data Minimisation
PII fields are tracked at the model level. Access requests and other ephemeral PII records carry a Firestore expires_at TTL and are automatically purged after 90 days per GDPR Article 5(1)(e).
Full Security Documentation
Detailed architecture diagrams, penetration test results, SOC 2 readiness posture, and trust boundary documentation are available to onboarded customers and prospective enterprise partners.
Request access →