Security & Trust
Trustworthy reconciliation means the hard security parts are built in — not bolted on.
DataRecs is engineered so that the parts an enterprise security team cares about — encryption, tenant isolation, access control, auditability — are foundational to the architecture, not features added under deadline. Below is what is actually built into the platform today.
Encrypted end to end — including inside our own systems
Every credential and dataset is envelope-encrypted with a key unique to your tenant. Encryption applies in transit and at rest, and it doesn't stop at the perimeter — data stays encrypted inside our own systems too.
Per-tenant envelope encryption
Data-encryption keys are wrapped by a key-encryption key scoped to your tenant. No shared master key across tenants.
Bring Your Own Key (BYOK)
Supply and control the key-encryption key yourself when policy demands it — revoke it and the data becomes unreadable.
Bring Your Own Storage (BYOS)
Point artifact storage at your own GCS bucket. With zero-knowledge storage we never hold the plaintext — the artifacts live in your bucket, encrypted with your key.
In transit and at rest
TLS in transit and encryption at rest across storage, messaging, and database — end to end, not just at the edge.
Cryptographically isolated at every layer
Each tenant is isolated across every layer of the stack — storage, messaging, database, and compute. No shared buckets. No shared keys.
“It is better for the whole platform to go down than for one tenant to see another tenant's data.”
Isolated object storage
A dedicated storage bucket per tenant, reachable only with a scoped key that can touch nothing else.
Isolated messaging
Each tenant gets its own cryptographically isolated messaging account — events never cross the boundary.
Isolated database schemas
Tenant data lives in its own database schema with per-tenant, dynamically provisioned credentials.
Namespaces & network policies
Each tenant runs in its own Kubernetes namespace with network policies restricting what it can reach.
Enterprise access control and full auditability
Bring your identity provider, provision users automatically, and control exactly what each person and key can do — with a complete record of who did what.
SSO via OIDC
Single sign-on through your OIDC identity provider.
SCIM provisioning
Automatic user provisioning and de-provisioning so access follows your directory.
Granular RBAC
Role-based access control with fine-grained permissions across the platform.
Scoped API keys
Issue API keys with fine-grained, least-privilege permissions.
Comprehensive audit logging
All activity is recorded for security review and incident investigation.
JWT signing-key rotation
Signing keys rotate so a leaked token can be invalidated without downtime.
Network & egress controls
Reconciliation reaches into your databases — so we tightly control where it's allowed to go. Kubernetes network-egress policies mean the platform can only reach the endpoints it's explicitly permitted to, and nothing else.
- Strict egress policies to customer databases
- Deny-by-default networking — explicit allow-lists only
- No lateral reach beyond the endpoints you approve
Data sovereignty & deployment
The identical stack runs on any Kubernetes cluster — so your data can live exactly where policy requires. No cloud-provider lock-in, and a real disaster-recovery story for every stateful component.
- Run on Hetzner, Civo, your own datacentre, or fully airgapped
- No cloud-provider lock-in — Kubernetes is the only dependency
- Backup and restore for every stateful component
- Canary rollouts, one tenant at a time
Compliance
Our architecture is built to satisfy enterprise security review — encryption, tenant isolation, audit logging, and access control are all in place. Formal certifications are on our roadmap. We're happy to walk your security team through the architecture and discuss your specific requirements.
Talk to us about a security reviewJoin the Design Partner Program
We're working closely with a small group of early customers to shape DataRecs around real enterprise security requirements. If that's you, let's talk.
Become a Design PartnerBring your security team — we'll show you the architecture
Encryption, isolation, audit, and access control are already built in. Let's map them to your requirements on your own data.