Security at Rasm

All customer data is encrypted at rest in our Postgres database and encrypted in transit using TLS 1.3. Credentials and API tokens are stored using industry-standard key management.

We support OAuth via Google as the primary sign-in method. Password-based accounts use bcrypt with 12 rounds for hashing. Sessions are issued as signed JWT tokens with a short lifetime.

Rasm is hosted on Vercel (SOC 2 Type II) and backed by a managed Postgres database with automated daily backups. Our infrastructure providers handle physical security and hardware-level isolation.

Role-based access control is enforced throughout the product — Admin, Member, and Viewer roles have scoped permissions. Organization-level isolation ensures data from one workspace is never accessible to another.

All inbound webhooks from Slack, GitHub, and Paddle are authenticated via HMAC signature verification. Requests with invalid or missing signatures are rejected before any processing.

We only persist scanned content and violation metadata required to provide monitoring and reporting. Raw message archiving is never enabled without explicit customer opt-in, and retention periods are fully customer-controlled.

If you believe you have found a security vulnerability, please email security@rasm.ai. We triage all reports within one business day and coordinate responsible disclosure.