Rakomi

Trust & Security

Everything you need to evaluate Rakomi's security posture and compliance readiness. Each section shows its last-updated date.

SDK Support & Lifecycle → Dated support windows of at least 5 years (60 months) per SDK major version (CRA Art. 13(8)), provenance & SBOM links, and our CRA-aligned support policy.

Hosting & Data Residency

Updated 2026-05-13

Encryption Standards

Updated 2026-05-13
Purpose Algorithm Details
JWT signing RS256 RSA 4096-bit, algorithm hardcoded — never read from token header
Password hashing Argon2id m=65536, t=3, p=1 — OWASP recommended settings
Transport TLS 1.3 Enforced on all endpoints. TLS 1.0/1.1 rejected.
At-rest (DB) AES-256 Full-disk encryption on all storage volumes
Token randomness CSPRNG crypto.randomBytes() — never Math.random()

Security Testing & Compliance

Updated 2026-04-16

Our responsible disclosure programme is open — see /security. All reported vulnerabilities are tracked and remediated under our defined SLAs.

The EU Agent Accountability Chain

Every action an AI agent takes on your behalf is recorded, made tamper-evident, and — link by link — mapped to the exact EU regulation it satisfies. Read the chain top to bottom; each node names what it does and what proves it.

GDPR — Reg. (EU) 2016/679 AI Act — Reg. (EU) 2024/1689 eIDAS2 / EUDI — roadmap
  1. GDPR Art. 7(3) AI Act Art. 14 Live
    First-class agent identity

    Every AI agent is separately registered, revocable, and audited. Each of your end-users can withdraw consent for an individual agent as easily as it was given — and a human stays in oversight of what agents may do.

  2. GDPR Art. 5(2) GDPR Art. 30 AI Act Art. 12 Live
    Per-agent tamper-evident hash chain

    Every agent action is recorded, and each record is cryptographically chained to the one before it (180-day retention) — so any later alteration is detectable. This is how we demonstrate accountability and keep records of processing.

  3. GDPR Art. 32 GDPR Art. 33 (breach evidence) Live
    Dual-write to the immutable archive

    Critical events are dual-written to a separate 3-year immutable archive. This hardens the security of processing and provides supporting evidence should a breach ever need to be reconstructed — it does not by itself satisfy any breach-notification duty.

  4. Tamper-evidence eIDAS2 / EUDI (roadmap) Roadmap
    Daily summary independently anchored

    A daily summary of the chain will be independently anchored to third-party-operated public timestamping and archival services (such as OpenTimestamps and Software Heritage) — a proof-of-existence in a public timechain paired with an independent EU-domiciled archive, two different guarantees, independently verifiable by anyone without trusting Rakomi. A future qualified-ledger upgrade (eIDAS2 / EUDI, Regulation (EU) 2024/1183 amending Reg. (EU) No 910/2014) is roadmap only, not a present claim.

    This independent anchoring is supplementary, freely-verifiable evidence that the agent-action record existed at a given time and has not been altered since. It is not a paid trust-service timestamp carrying a statutory legal presumption of correctness — that is a deliberate, context-justified future option, not a claim we make today.

  5. GDPR Art. 28(3)(d) GDPR Art. 30 Live
    Sub-processor transparency

    A full, dated, transfer-basis-tagged sub-processor register is published on this page — see the sub-processor list above. Changes are announced at least 14 days in advance.

  6. GDPR Art. 5(2) Live
    Published verification recipe

    Anyone can verify the daily anchor independently — no trust in Rakomi required. The recipe to reproduce and check the proof is published, so the accountability claim is something you demonstrate for yourself rather than take on faith.

Roadmap

Full GDPR + AI Act regulatory mapping (documentation) →

Shared Responsibility Model

Authentication security is a partnership. Here's where Rakomi's responsibility ends and yours begins.

Rakomi is responsible for

  • Auth infrastructure uptime and availability
  • Secure token issuance and verification
  • Password hashing and credential storage
  • Patch management and dependency updates
  • EU data residency and GDPR compliance
  • DDoS protection (Cloudflare)

You are responsible for

  • API key rotation and secure storage
  • Authorising actions after token verification
  • Your users' consent and privacy notices
  • Protecting your application's own endpoints
  • Reporting suspected abuse or anomalies
  • Updating SDK versions promptly

Sub-processor List

Updated 2026-06-27

Rakomi acts as a data processor; the sub-processors below support the services your provider — the controller — offers you. Processors marked conditional only receive data when your provider has enabled the related feature (for example, a provider with no billing never reaches the payment processor).

Sub-processor Purpose Location & transfer basis
Hetzner Online GmbH Infrastructure & database hosting 🇩🇪 Germany, EU — no third-country transfer
Brevo SAS Transactional email 🇫🇷 France, EU — no third-country transfer
Cloudflare, Inc. CDN / WAF / edge access proxy 🇺🇸 US — Standard Contractual Clauses
Microsoft Corporation Sign-in / OAuth federation (conditional — only when Microsoft sign-in is enabled) 🇺🇸 US — Standard Contractual Clauses
Apple Inc. Sign-in / OAuth federation (conditional — only when Apple Sign In is enabled) 🇺🇸 US — Standard Contractual Clauses
Google Sign-in / OAuth federation (conditional — only when Google sign-in is enabled) 🇺🇸 US — Standard Contractual Clauses
Twilio SMS one-time passcodes (conditional — only when SMS OTP is enabled) 🇺🇸 US — Standard Contractual Clauses
Stripe Payment processing & billing (conditional — only when billing is enabled) 🇺🇸 US — Standard Contractual Clauses
Fakturownia Invoice issuance / KSeF bridge (conditional — only when billing is enabled) 🇵🇱 Poland, EU — no third-country transfer

Copies of the Standard Contractual Clauses and other transfer safeguards are available on request — contact our data-protection team at dpo@rakomi.com.

Infrastructure monitoring (no personal data): BetterStack, Inc. (🇺🇸 US) provides uptime monitoring and status-page hosting; it does not process your end-users' personal data.

Changes to this list are announced at least 14 days in advance via our status page and changelog.

2026-06-27: Completed the sub-processor list (added Cloudflare, Microsoft, Apple, Google, Twilio, Stripe and Fakturownia) and added a per-processor transfer-basis column.

Uptime & Incidents

Updated 2026-01-15

Live uptime metrics and incident history are published on our status page from Day 1 of operation.

View status.rakomi.dev →

Certification Roadmap

Updated 2026-05-13
Certification Status Target
GDPR (EU 2016/679) ✓ Compliant by design Ongoing
DORA (EU 2022/2554) In progress — gap assessment 2026 Q3
CRA (EU Cyber Resilience Act) Monitoring — not yet in force 2027
ISO 27001 Planned — pending pentest 2027
SOC 2 Type II Planned — post ISO 27001 2027–2028

Security & Privacy Contact