Trust & Security
Everything you need to evaluate Rakomi's security posture and compliance readiness. Each section shows its last-updated date.
SDK Support & Lifecycle → Dated support windows of at least 5 years (60 months) per SDK major version (CRA Art. 13(8)), provenance & SBOM links, and our CRA-aligned support policy.Hosting & Data Residency
Updated 2026-05-13- Provider: Hetzner Online GmbH — EU entity, German data protection law applies.
- Region: Hetzner Falkenstein (Germany) — data never leaves the EU.
- Database: PostgreSQL, encrypted at rest (AES-256), TLS 1.3 in transit.
- Backups: Daily encrypted backups, 30-day retention, stored within EU.
- DPA: We sign a Data Processing Agreement on request — privacy@rakomi.com.
Encryption Standards
Updated 2026-05-13| Purpose | Algorithm | Details |
|---|---|---|
| JWT signing | RS256 | RSA 4096-bit, algorithm hardcoded — never read from token header |
| Password hashing | Argon2id | m=65536, t=3, p=1 — OWASP recommended settings |
| Transport | TLS 1.3 | Enforced on all endpoints. TLS 1.0/1.1 rejected. |
| At-rest (DB) | AES-256 | Full-disk encryption on all storage volumes |
| Token randomness | CSPRNG | crypto.randomBytes() — never Math.random() |
Security Testing & Compliance
Updated 2026-04-16- Last security assessment: April 2026
- Standards: GDPR Art. 32, NIS2 Art. 21, ISO 27001 A.8.29
- Assessment result: PASS — no critical vulnerabilities outstanding
- Test scenarios: 148 automated tests across authentication, session management, multi-tenant isolation, supply chain, and continuous integration
- Security measures: Industry-standard memory-hard password hashing, asymmetric cryptographic signing for all tokens, automated vulnerability scanning on every pull request
- Data residency: All data processed in the EU (Germany)
- Next scheduled assessment: Before general availability release
Our responsible disclosure programme is open — see /security. All reported vulnerabilities are tracked and remediated under our defined SLAs.
The EU Agent Accountability Chain
Every action an AI agent takes on your behalf is recorded, made tamper-evident, and — link by link — mapped to the exact EU regulation it satisfies. Read the chain top to bottom; each node names what it does and what proves it.
- GDPR Art. 7(3) AI Act Art. 14 LiveFirst-class agent identity
Every AI agent is separately registered, revocable, and audited. Each of your end-users can withdraw consent for an individual agent as easily as it was given — and a human stays in oversight of what agents may do.
- GDPR Art. 5(2) GDPR Art. 30 AI Act Art. 12 LivePer-agent tamper-evident hash chain
Every agent action is recorded, and each record is cryptographically chained to the one before it (180-day retention) — so any later alteration is detectable. This is how we demonstrate accountability and keep records of processing.
- GDPR Art. 32 GDPR Art. 33 (breach evidence) LiveDual-write to the immutable archive
Critical events are dual-written to a separate 3-year immutable archive. This hardens the security of processing and provides supporting evidence should a breach ever need to be reconstructed — it does not by itself satisfy any breach-notification duty.
- Tamper-evidence eIDAS2 / EUDI (roadmap) RoadmapDaily summary independently anchored
A daily summary of the chain will be independently anchored to third-party-operated public timestamping and archival services (such as OpenTimestamps and Software Heritage) — a proof-of-existence in a public timechain paired with an independent EU-domiciled archive, two different guarantees, independently verifiable by anyone without trusting Rakomi. A future qualified-ledger upgrade (eIDAS2 / EUDI, Regulation (EU) 2024/1183 amending Reg. (EU) No 910/2014) is roadmap only, not a present claim.
This independent anchoring is supplementary, freely-verifiable evidence that the agent-action record existed at a given time and has not been altered since. It is not a paid trust-service timestamp carrying a statutory legal presumption of correctness — that is a deliberate, context-justified future option, not a claim we make today.
- GDPR Art. 28(3)(d) GDPR Art. 30 LiveSub-processor transparency
A full, dated, transfer-basis-tagged sub-processor register is published on this page — see the sub-processor list above. Changes are announced at least 14 days in advance.
- GDPR Art. 5(2) LivePublished verification recipe
Anyone can verify the daily anchor independently — no trust in Rakomi required. The recipe to reproduce and check the proof is published, so the accountability claim is something you demonstrate for yourself rather than take on faith.
Roadmap
- Near term — independent anchoring flips from roadmap to present tense once the first public daily anchor lands. This is gated on agent traffic (weeks away, not a fixed date), not on further engineering.
- 2027 — the eIDAS2 / EUDI qualified-ledger upgrade (a regulated qualified-ledger / EBSI path) is under evaluation. Only that upgrade would earn a statutory legal presumption; today's free public anchoring deliberately does not claim one.
Shared Responsibility Model
Authentication security is a partnership. Here's where Rakomi's responsibility ends and yours begins.
Rakomi is responsible for
- Auth infrastructure uptime and availability
- Secure token issuance and verification
- Password hashing and credential storage
- Patch management and dependency updates
- EU data residency and GDPR compliance
- DDoS protection (Cloudflare)
You are responsible for
- API key rotation and secure storage
- Authorising actions after token verification
- Your users' consent and privacy notices
- Protecting your application's own endpoints
- Reporting suspected abuse or anomalies
- Updating SDK versions promptly
Sub-processor List
Updated 2026-06-27Rakomi acts as a data processor; the sub-processors below support the services your provider — the controller — offers you. Processors marked conditional only receive data when your provider has enabled the related feature (for example, a provider with no billing never reaches the payment processor).
| Sub-processor | Purpose | Location & transfer basis |
|---|---|---|
| Hetzner Online GmbH | Infrastructure & database hosting | 🇩🇪 Germany, EU — no third-country transfer |
| Brevo SAS | Transactional email | 🇫🇷 France, EU — no third-country transfer |
| Cloudflare, Inc. | CDN / WAF / edge access proxy | 🇺🇸 US — Standard Contractual Clauses |
| Microsoft Corporation | Sign-in / OAuth federation (conditional — only when Microsoft sign-in is enabled) | 🇺🇸 US — Standard Contractual Clauses |
| Apple Inc. | Sign-in / OAuth federation (conditional — only when Apple Sign In is enabled) | 🇺🇸 US — Standard Contractual Clauses |
| Sign-in / OAuth federation (conditional — only when Google sign-in is enabled) | 🇺🇸 US — Standard Contractual Clauses | |
| Twilio | SMS one-time passcodes (conditional — only when SMS OTP is enabled) | 🇺🇸 US — Standard Contractual Clauses |
| Stripe | Payment processing & billing (conditional — only when billing is enabled) | 🇺🇸 US — Standard Contractual Clauses |
| Fakturownia | Invoice issuance / KSeF bridge (conditional — only when billing is enabled) | 🇵🇱 Poland, EU — no third-country transfer |
Copies of the Standard Contractual Clauses and other transfer safeguards are available on request — contact our data-protection team at dpo@rakomi.com.
Infrastructure monitoring (no personal data): BetterStack, Inc. (🇺🇸 US) provides uptime monitoring and status-page hosting; it does not process your end-users' personal data.
Changes to this list are announced at least 14 days in advance via our status page and changelog.
2026-06-27: Completed the sub-processor list (added Cloudflare, Microsoft, Apple, Google, Twilio, Stripe and Fakturownia) and added a per-processor transfer-basis column.
Uptime & Incidents
Updated 2026-01-15Live uptime metrics and incident history are published on our status page from Day 1 of operation.
View status.rakomi.dev →Certification Roadmap
Updated 2026-05-13| Certification | Status | Target |
|---|---|---|
| GDPR (EU 2016/679) | ✓ Compliant by design | Ongoing |
| DORA (EU 2022/2554) | In progress — gap assessment | 2026 Q3 |
| CRA (EU Cyber Resilience Act) | Monitoring — not yet in force | 2027 |
| ISO 27001 | Planned — pending pentest | 2027 |
| SOC 2 Type II | Planned — post ISO 27001 | 2027–2028 |
Security & Privacy Contact
- Security vulnerabilities: /security (responsible disclosure programme)
- Privacy & GDPR: privacy@rakomi.com
- DPA requests: privacy@rakomi.com