visibilityRASADAI

Security at RasadAI

Last updated: April 23, 2026

We treat security as a first-class product feature. This page describes the technical and operational controls we use to protect your data and the integrity of the Service.

Data Protection

  • Encryption in transit: all traffic uses TLS 1.2+. HTTP is automatically upgraded to HTTPS.
  • Encryption at rest: database and file storage use AES-256 encryption at rest, managed by our infrastructure providers.
  • Password handling: passwords are hashed with bcrypt (cost factor 12). Plaintext passwords are never logged or stored.
  • Integration tokens: Slack/Discord/Telegram/Teams tokens are stored encrypted and masked in the UI to "last-4" preview only.

Multi-Tenant Isolation

Every database query that reads or writes customer data is scoped by tenant ID at the application layer. Tenants cannot access each other's mentions, alerts, deployments, memories, or configuration. Cross-tenant access is enforced at three layers:

  • Application: tRPC procedures gate every read by the authenticated user's tenant.
  • Background workers: the agent service is bound to a single tenant via environment variable; every internal query is filtered.
  • Audit: all multi-tenant queries are reviewed and tested.

Access Controls

  • Role-based access: users are scoped to their organization (tenant). Admins have additional controls but cannot view client data without explicit context-switch.
  • Least-privilege engineering access: infrastructure access is limited to a small number of operators and is logged.
  • No shared credentials: every operator has individual accounts.

Infrastructure

  • Hosting: Vercel (web), Supabase (database), Railway (agent workers). All providers offer SOC 2-compliant infrastructure.
  • Backups: daily automated database backups with point-in-time recovery.
  • Monitoring: uptime, error rates, and abnormal-access patterns are monitored 24/7.

AI Provider Security

We use Anthropic (via OpenRouter) for AI inference. Anthropic's published policy prohibits training models on customer data sent through the API. We send only the minimum data needed (the public mention text and your configured brand voice) — never your account credentials, billing data, or unrelated customer data.

Vulnerability Management

  • Dependency scanning: automated security scans on every deployment.
  • Patch cadence: critical security patches deployed within 72 hours of disclosure.
  • Code review: all production changes are reviewed before merge.

Incident Response

If a security incident occurs, our process is:

  • Detect via monitoring and alerts.
  • Contain within hours of confirmation.
  • Notify affected customers and, where applicable, supervisory authorities within 72 hours.
  • Remediate with a public post-mortem on significant incidents.

Reporting a Vulnerability

We welcome responsible disclosure. If you discover a security issue, please email security@rasadai.com with details and steps to reproduce. We commit to:

  • Acknowledge your report within 48 hours.
  • Provide an initial assessment within 7 days.
  • Credit responsible reporters in our security acknowledgments (with permission).

Please do not disclose the issue publicly until we have had a reasonable opportunity to address it.

Compliance Roadmap

We're working toward SOC 2 Type II attestation. Customers with specific compliance requirements (HIPAA, ISO 27001, regional data residency) are encouraged to discuss their needs with us at security@rasadai.com.

Data Processing Agreement

We offer a GDPR-compliant Data Processing Agreement on request. See our GDPR page for details.

Security | RasadAI