Security & Trust
Enterprise-Grade Security. Built Into Every Layer.
Your data never touches our servers. Your security policies are our security policies.
Our Security Philosophy
At Rollio, security isn't a feature — it's our foundation. We've architected our platform from day one with one principle: you maintain control, your data stays yours, your security framework is ours.
We don't ask you to trust us with your data. We've designed our system so you never have to.
Core Principle
Zero Data-at-Rest Architecture
Unlike traditional SaaS platforms, Rollio doesn't store your business data.
Your Systems (Salesforce, SAP, Celonis)
↓
[Rollio Agent reads data]
↓
[Process in-memory, execute decision]
↓
[Write results back to YOUR systems]
↓
[Data discarded — never written to disk]Most breaches involve data at rest in databases. By never storing your data, we eliminate the biggest attack surface.
Identity & Access
Inherited Security & Permissions
You've already secured your data in your systems. Rollio respects that.
- You set permissions. In Salesforce, SAP, or any system, you define who can access what.
- Rollio respects your permissions. Agents inherit your model — if a user can't access data in Salesforce, they can't access it through Rollio.
- No separate security model. You don't manage security twice. Your existing framework is your Rollio framework.
- User authentication. Users authenticate through your systems (SAML, OAuth, etc.), not Rollio.
Encryption
Encryption & Data Protection
In transit
TLS 1.2+ for all communication. HTTPS for web, TLS for APIs, encrypted webhooks for events.
At rest (when brief)
When data momentarily exists during processing: in-memory only, encrypted temporary caches, secure memory isolation.
In your systems
Your source data remains in your systems with your own encryption standards.
Infrastructure & Certification
Built on AWS. Audited Annually.
Cloud infrastructure: AWS
- 99.99% uptime SLA
- Global data centers with redundancy
- DDoS protection (AWS Shield)
- Physical security (armed guards, biometric access)
- Continuous monitoring and threat detection
SOC 2 Type II
Independently audited annually against AICPA standards for Security, Availability, Confidentiality, Processing Integrity, and Privacy. Scope: all Rollio production systems, infrastructure, and operations.
Controls
Security Controls
Access controls
- · SAML/OAuth via your IdP
- · MFA supported
- · No passwords stored on Rollio
- · RBAC enforced; periodic key rotation
- · Least-privilege admin access, fully audited
Network security
- · AWS WAF + Shield (DDoS)
- · Intrusion detection/prevention
- · IP whitelisting for enterprise
- · OAuth 2.0; HTTPS-only
- · Rate limiting and API monitoring
Data security
- · TLS 1.2+ in transit
- · AES-256 for temporary caches
- · Zero permanent storage
- · Checksums & tamper detection
- · Audit logging on all data access
Monitoring & detection
- · 24/7 real-time monitoring
- · Log aggregation & analysis
- · Threat intelligence integration
- · Automated alerting
- · Incident Response Team on call
Backup & disaster recovery
Regular backups of platform code and configurations. RTO < 1 hour. RPO < 5 minutes. Disaster recovery tested quarterly.
Vulnerability Management
Secure Development & Patch Management
Secure development
- · Secure coding practices
- · Peer + security code reviews
- · SAST on all code
- · Dynamic analysis in staging
Dependencies
- · Regular dependency scanning
- · Automated patching
- · Version pinning
- · SBOM available
Penetration testing
- · Annual 3rd-party pentest
- · Quarterly internal assessments
- · Continuous vulnerability scanning
Patch SLA
- · Severity 1 — within 24 hours
- · Severity 2 — within 7 days
- · Severity 3 — within 30 days
- · Zero-day — emergency response activated
Incident Response
In Case of a Security Incident
- Immediate response. Incident Response Team activated immediately.
- Containment. Incident isolated to prevent spread.
- Investigation. Root cause analysis begins.
- Notification. Affected customers notified promptly (24–72h depending on jurisdiction).
- Remediation. Fix developed and deployed.
- Post-mortem. Review conducted to prevent recurrence.
Third-party security
All vendors undergo security assessment, sign a DPA, are reviewed regularly, and must comply with SOC 2 or equivalent. Current critical sub-processor: AWS (SOC 2 Type II, 99.99% SLA).
Employee security
Background checks, identity verification, and reference checks for all employees. Annual security awareness training. Secure coding training for engineers. Least-privilege access, monitored and revoked immediately on termination.
Your Audit Rights
You may review our SOC 2 audit report under NDA, request security documentation, conduct your own audits upon notice, and ask security questions during evaluation. Email security@rollio.ai with "Audit Request" in the subject.
Security Best Practices for Your Team
- · Use strong passwords and MFA for Rollio console access.
- · Regularly review and revise user permissions in source systems.
- · Monitor Rollio agent activity logs.
- · Keep source systems (Salesforce, SAP, etc.) current.
- · Report any suspected issues to us immediately.
Ready to dig into the details?
Security team: security@rollio.ai