SECURITY · COMPLIANCE · PRIVACY

Built for the team that has to sign off.

mTLS between every internal hop. AES-256-GCM on every secret. A tamper-evident audit log enforced by the database. Your CISO will recognize every control.

CONTROL CATALOGUE

Security controls, by design.

The controls a security review asks about, built into the architecture, not bolted on.
CRYPTOtls 1.3 · aes-256-gcm

Encryption everywhere, every direction.

TLS 1.3 on every inbound and outbound hop, mutual auth available throughout. AES-256-GCM for secrets at rest.

KEY MGMTbring your own kms

Your keys. Your KMS. Your control.

BYOK against AWS, GCP, Azure, Vault, or HSM. Per-tenant keys wrapped with a customer-controlled master. Instant revocation.

AUDIT LOGsha-256 hash chain

Tamper-evident, enforced at the database.

Each entry hashes the previous one, so any retroactive edit breaks the chain. Append-only triggers reject updates and deletes.

IDENTITYoauth · oidc · jwt · mtls

Authenticate inbound with anything.

JWT, OAuth2, API key, mTLS, SigV4, and custom schemes, mixable per route. Outbound auth is an independent choice.

PIIredact in flight

PII never leaves the gateway un-masked.

JSONPath and regex redaction on responses. The audit log records the path of a redacted field, never the value.

SECRETSnever on disk

Secrets are fetched, not stored.

Upstream credentials pulled from your secret store at request time, cached in encrypted memory briefly, never written to disk.

DATA FLOW

Encrypted at every hop. Including yours.

From the caller's keyboard to the upstream's response, no byte is in plaintext on any wire we control. The encryption envelope below is enforced by the gateway, it is not a marketing claim.

Caller → trAPIoka edge
tls 1.3 · client mtls available
AEAD
Edge → transformer (intra-pod)
spiffe mtls · ephemeral certs
mTLS
Transformer → upstream
tls 1.3 · upstream-supplied cert pin
AEAD
trAPIoka platform → cloud connector
outbound-only · certificate pinned
mTLS
Secrets at rest
aes-256-gcm · per-tenant dek
BYOK
Audit log at rest
aes-256-gcm + sha-256 chain
SEALED
Cross-region replication
tls 1.3 · per-region kek
AEAD
AUDIT LEDGER

If it touches the wire,
it's on the chain.

Every request is a block. Every block contains the SHA-256 of the previous block. The database enforces append-only at the trigger layer. Even a superuser cannot retroactively edit history, they can only break the chain, and tpk verify will tell you so.
AUDIT LEDGER · /us-east-1 · blocks 4,201,881 → 4,201,884● CHAIN INTACT
#4,201,881
POST /v2/payments · payments-modernize@v18
caller=web-checkout · upstream=core.internal · 1.04ms
hash=e8c2…a4f9200
#4,201,882
GET /v2/inventory/42 · inventory-sync@v4
caller=mobile-ios-v3 · upstream=erp.legacy · 1.71ms
hash=a4f9…7c11200
#4,201,883
SSH exec · show ip route · network-ops@v2
caller=ops-runbook · upstream=switch-iad-04 · 38ms
hash=7c11…3bd0200
#4,201,884
GET /v2/payments/482 · payments-modernize@v18
caller=web-checkout · upstream=core.internal · redacted=2 fields · 0.84ms
hash=3bd0…f1a5200
$ tpk verify --range 4201881..4201884    ✓ 4 blocks · chain intact · 0 anomalies · verified in 12ms
THREAT MODEL · EXCERPT

Six things we lose sleep over,
and what we did about them.

Full STRIDE-mapped threat model in the whitepaper. Below: the questions your CISO will ask, and the controls that answer them.
THREAT 01 · TAMPERING

Insider edits the audit log.

A privileged operator changes a historical request entry to erase evidence of an unauthorized action.

SHA-256 chain + DB-level append-only.

Edits break the chain. Triggers reject the write. Continuous off-site verification.

THREAT 02 · DISCLOSURE

Misconfigured route exposes PII.

A transform omits a redaction rule and customer SSNs leak to a downstream system.

Mandatory redaction policy at the tenant level.

Tenant policies can require redaction for declared PII paths, routes that omit them fail validation.

THREAT 03 · SPOOFING

Caller impersonates another tenant.

An attacker presents a JWT for a different tenant to access routes they shouldn't.

Tenant binding at route resolution.

JWT tid claim is matched against the route's tenant. Mismatch returns 403 before transform even begins.

THREAT 04 · DoS

Upstream is slow; gateway exhausts.

A backend slows; the gateway accumulates pending requests until the pool dies.

Hedged requests + circuit breakers per upstream.

Pool isolation prevents one bad upstream from starving others. Adaptive load shedding kicks in before exhaustion.

THREAT 05 · ELEVATION

Script execution escapes its sandbox.

A transformation script tries to read the filesystem or open a network socket.

Sandboxed VM, no syscalls, CPU-bounded.

Lua and JS run in deny-by-default sandboxes. No filesystem, no net, no env. CPU and memory bounded per invocation.

THREAT 06 · SUPPLY CHAIN

Tampered binary in distribution.

A binary or container image is modified between Rallyum's build and customer install.

Sigstore-signed builds, in-toto attestation.

Customers verify signatures and attestations before install. Air-gap bundles ship with offline-verifiable provenance.

SECURITY REVIEW

Ready for your security team.

Architecture overview, data-flow diagrams, and a security questionnaire walkthrough, available on request. Talk to us about what your review needs.

Talk to us Read the architecture