Trust & Security
Everything you need to evaluate Rakomi's security posture and compliance readiness. Each section shows its last-updated date.
Hosting & Data Residency
Updated 2025-01-15 ⛔ Over 12 months old- Provider: Hetzner Online GmbH — EU entity, German data protection law applies.
- Region: Hetzner Nuremberg (Germany) — data never leaves the EU.
- Database: PostgreSQL, encrypted at rest (AES-256), TLS 1.3 in transit.
- Backups: Daily encrypted backups, 30-day retention, stored within EU.
- DPA: We sign a Data Processing Agreement on request — privacy@rakomi.com.
Encryption Standards
Updated 2025-01-15 ⛔ Over 12 months old| Purpose | Algorithm | Details |
|---|---|---|
| JWT signing | RS256 | RSA 4096-bit, algorithm hardcoded — never read from token header |
| Password hashing | Argon2id | m=65536, t=3, p=1 — OWASP recommended settings |
| Transport | TLS 1.3 | Enforced on all endpoints. TLS 1.0/1.1 rejected. |
| At-rest (DB) | AES-256 | Full-disk encryption on all storage volumes |
| Token randomness | CSPRNG | crypto.randomBytes() — never Math.random() |
Security Testing & Compliance
Updated 2026-04-16- Last security assessment: April 2026
- Standards: GDPR Art. 32, NIS2 Art. 21, ISO 27001 A.8.29
- Assessment result: PASS — no critical vulnerabilities outstanding
- Test scenarios: 148 automated tests across authentication, session management, multi-tenant isolation, supply chain, and continuous integration
- Security measures: Industry-standard memory-hard password hashing, asymmetric cryptographic signing for all tokens, automated vulnerability scanning on every pull request
- Data residency: All data processed in the EU (Germany)
- Next scheduled assessment: Before general availability release
Our responsible disclosure programme is open — see /security. All reported vulnerabilities are tracked and remediated under our defined SLAs.
Shared Responsibility Model
Authentication security is a partnership. Here's where Rakomi's responsibility ends and yours begins.
Rakomi is responsible for
- Auth infrastructure uptime and availability
- Secure token issuance and verification
- Password hashing and credential storage
- Patch management and dependency updates
- EU data residency and GDPR compliance
- DDoS protection (Cloudflare)
You are responsible for
- API key rotation and secure storage
- Authorising actions after token verification
- Your users' consent and privacy notices
- Protecting your application's own endpoints
- Reporting suspected abuse or anomalies
- Updating SDK versions promptly
Sub-processor List
Updated 2025-01-15 ⛔ Over 12 months old| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure (servers, storage) | 🇩🇪 Germany, EU |
| Cloudflare, Inc. | CDN, DDoS, Pages hosting | 🇺🇸 US (Standard Contractual Clauses) |
| Brevo SAS | Transactional email | 🇫🇷 France, EU |
| BetterStack, Inc. | Uptime monitoring, incident logs | 🇺🇸 US (Standard Contractual Clauses) |
Changes to this list are announced at least 14 days in advance via our status page and changelog.
Uptime & Incidents
Updated 2026-01-15Live uptime metrics and incident history are published on our status page from Day 1 of operation.
View status.rakomi.dev →Certification Roadmap
Updated 2025-01-15 ⛔ Over 12 months old| Certification | Status | Target |
|---|---|---|
| GDPR (EU 2016/679) | ✓ Compliant by design | Ongoing |
| DORA (EU 2022/2554) | In progress — gap assessment | 2026 Q3 |
| CRA (EU Cyber Resilience Act) | Monitoring — not yet in force | 2027 |
| ISO 27001 | Planned — pending pentest | 2027 |
| SOC 2 Type II | Planned — post ISO 27001 | 2027–2028 |
Security & Privacy Contact
- Security vulnerabilities: /security (responsible disclosure programme)
- Privacy & GDPR: privacy@rakomi.com
- DPA requests: privacy@rakomi.com