Skip to main content

Security by design

rags.cc was built for regulated industries. Every architectural decision favors privacy and traceability over convenience.

Guiding principles

  • Verifiable privacy, not blind trust
  • Evidence before eloquence: zero answers without citations
  • Multi-tenant isolation as defense in depth
  • LLM provider replaceability
  • Forensic traceability reconstructible 6+ months later
  • AWS-native end to end

Technical controls

Encryption

  • TLS 1.2+ end to end (HSTS on landing and admin)
  • S3 encrypted with per-environment KMS CMK
  • Aurora PostgreSQL encrypted at rest with KMS
  • Backups and snapshots encrypted with the same CMK
  • Aurora SSL required in transit
  • BYO KMS Key available on Enterprise tier

Multi-tenant isolation

  • Row-Level Security (RLS) in PostgreSQL — defense in depth
  • tenant_id verification in application code in addition to RLS
  • S3 keys prefixed by tenant_id with conditional IAM
  • Automated cross-tenant tests as merge gate in CI
  • Pre-response verification that no chunk belongs to another tenant
  • Physical isolation (dedicated DB) available on Enterprise+

Network and infrastructure

  • Private VPC with public/private-app/private-data subnets
  • Bedrock via private VPC Endpoint (zero internet egress)
  • S3, Secrets Manager, KMS, SQS, EventBridge, ECR via VPC endpoints
  • WAF managed rule set on CloudFront and ALB
  • Rate limiting per user and per IP
  • Security Groups with explicit allow-list between services

Identity and access

  • Amazon Cognito as single Identity Provider (see ADR-007)
  • Mandatory TOTP MFA for tenant_admin and super_admin roles
  • WebAuthn hardware keys for super_admin
  • SAML 2.0 and OIDC SSO for Business+ tier
  • Per-workspace RBAC with 5 roles
  • JWT with immutable custom:tenant_id, validated against JWKS

Audit and forensics

  • Append-only audit log at PostgreSQL level (REVOKE UPDATE, DELETE)
  • Every query logged with user, chunks, model, tokens, cost, latency
  • AWS CloudTrail org-wide for infrastructure actions
  • Configurable retention per tier (30 days Starter → 2+ years Enterprise)
  • Signed audit log export per tenant for external audits
  • Integrity verification with Merkle hash chain (Phase 3)

Secrets and credentials

  • AWS Secrets Manager with KMS (never environment variables)
  • BYO-LLM credentials with per-tenant path conditional IAM
  • Automatic Aurora password rotation every 90 days
  • JWT signing key manually rotated every 6 months
  • Automatic secret redaction in logs via regex
✓ Live

What you get today, in production

These controls are implemented and active from day one of your contract. No fine print, no future promises.

  • Encryption at rest with AWS KMS (S3, Aurora, backups, CloudWatch Logs)
  • TLS 1.2+ end-to-end with HSTS
  • Multi-tenant isolation with Row-Level Security in PostgreSQL
  • Application-level cross-tenant verification in addition to RLS
  • Automated cross-tenant RLS tests as a merge gate
  • Append-only audit log at the PostgreSQL level (not even a superadmin can modify it)
  • Amazon Cognito as IdP with mandatory TOTP MFA on admin roles
  • Private VPC with zero internet egress (Bedrock via VPC endpoint)
  • WAF managed rule set on CloudFront and ALB
  • Rate limiting per user and per IP
  • AWS CloudTrail recording all infrastructure actions
  • GDPR-ready: data export, right to erasure in <30 days, configurable retention
  • BYO-LLM available on Business+ tier (customer-rotated credentials)
  • Secrets Manager with KMS (zero secrets in code or environment variables)
  • Automatic secret redaction in logs via regex
Roadmap

Our certification commitments

Formal certifications that rags.cc is actively pursuing. These are public commitments with dates, not vague promises. If your organization requires any of these certifications before contracting, let us know and we can discuss the roadmap under NDA.

ℹ️ These are rags.cc's certifications as a company. Your organization inherits the technical controls from the section above from day one, but formal audits (SOC 2, ISO) arrive on the schedule below.

Q2 2026

in progress
  • Signable DPA template available under NDA
  • External penetration test by independent security firm
  • Legal review of terms and privacy by GDPR-specialized counsel

Q4 2026

committed
  • Optional EU data residency (eu-west-1) for Business+ customers
  • Tamper-evident audit log with Merkle-style hash chain
  • Public bug bounty program

H1 2027

committed
  • SOC 2 Type I audited by Big 4 or equivalent
  • Per-tenant BYO KMS keys
  • GDPR Article 42 certification (if applicable)

H2 2027+

planned
  • SOC 2 Type II (after 12 months of operation post-Type I)
  • ISO 27001 if contracts require it
  • Dedicated AWS account deployment per Enterprise+ tenant

Report a vulnerability

If you find a security vulnerability in rags.cc, please email us directly. We respond within 24 business hours. We have a responsible disclosure policy.

security@rags.cc