Skip to content

Security & Trust

Enterprise-Grade Security. Built Into Every Layer.

Your data never touches our servers. Your security policies are our security policies.

Our Security Philosophy

At Rollio, security isn't a feature — it's our foundation. We've architected our platform from day one with one principle: you maintain control, your data stays yours, your security framework is ours.

We don't ask you to trust us with your data. We've designed our system so you never have to.

Core Principle

Zero Data-at-Rest Architecture

Unlike traditional SaaS platforms, Rollio doesn't store your business data.

Your Systems (Salesforce, SAP, Celonis)
    ↓
[Rollio Agent reads data]
    ↓
[Process in-memory, execute decision]
    ↓
[Write results back to YOUR systems]
    ↓
[Data discarded — never written to disk]
Your data is never at rest on our servers
No backup databases to compromise
No long-term data liability
Maximum security, minimum risk

Most breaches involve data at rest in databases. By never storing your data, we eliminate the biggest attack surface.

Identity & Access

Inherited Security & Permissions

You've already secured your data in your systems. Rollio respects that.

  1. You set permissions. In Salesforce, SAP, or any system, you define who can access what.
  2. Rollio respects your permissions. Agents inherit your model — if a user can't access data in Salesforce, they can't access it through Rollio.
  3. No separate security model. You don't manage security twice. Your existing framework is your Rollio framework.
  4. User authentication. Users authenticate through your systems (SAML, OAuth, etc.), not Rollio.

Encryption

Encryption & Data Protection

In transit

TLS 1.2+ for all communication. HTTPS for web, TLS for APIs, encrypted webhooks for events.

At rest (when brief)

When data momentarily exists during processing: in-memory only, encrypted temporary caches, secure memory isolation.

In your systems

Your source data remains in your systems with your own encryption standards.

Infrastructure & Certification

Built on AWS. Audited Annually.

Cloud infrastructure: AWS

  • 99.99% uptime SLA
  • Global data centers with redundancy
  • DDoS protection (AWS Shield)
  • Physical security (armed guards, biometric access)
  • Continuous monitoring and threat detection

SOC 2 Type II

Independently audited annually against AICPA standards for Security, Availability, Confidentiality, Processing Integrity, and Privacy. Scope: all Rollio production systems, infrastructure, and operations.

Controls

Security Controls

Access controls

  • · SAML/OAuth via your IdP
  • · MFA supported
  • · No passwords stored on Rollio
  • · RBAC enforced; periodic key rotation
  • · Least-privilege admin access, fully audited

Network security

  • · AWS WAF + Shield (DDoS)
  • · Intrusion detection/prevention
  • · IP whitelisting for enterprise
  • · OAuth 2.0; HTTPS-only
  • · Rate limiting and API monitoring

Data security

  • · TLS 1.2+ in transit
  • · AES-256 for temporary caches
  • · Zero permanent storage
  • · Checksums & tamper detection
  • · Audit logging on all data access

Monitoring & detection

  • · 24/7 real-time monitoring
  • · Log aggregation & analysis
  • · Threat intelligence integration
  • · Automated alerting
  • · Incident Response Team on call

Backup & disaster recovery

Regular backups of platform code and configurations. RTO < 1 hour. RPO < 5 minutes. Disaster recovery tested quarterly.

Vulnerability Management

Secure Development & Patch Management

Secure development

  • · Secure coding practices
  • · Peer + security code reviews
  • · SAST on all code
  • · Dynamic analysis in staging

Dependencies

  • · Regular dependency scanning
  • · Automated patching
  • · Version pinning
  • · SBOM available

Penetration testing

  • · Annual 3rd-party pentest
  • · Quarterly internal assessments
  • · Continuous vulnerability scanning

Patch SLA

  • · Severity 1 — within 24 hours
  • · Severity 2 — within 7 days
  • · Severity 3 — within 30 days
  • · Zero-day — emergency response activated

Incident Response

In Case of a Security Incident

  1. Immediate response. Incident Response Team activated immediately.
  2. Containment. Incident isolated to prevent spread.
  3. Investigation. Root cause analysis begins.
  4. Notification. Affected customers notified promptly (24–72h depending on jurisdiction).
  5. Remediation. Fix developed and deployed.
  6. Post-mortem. Review conducted to prevent recurrence.

Third-party security

All vendors undergo security assessment, sign a DPA, are reviewed regularly, and must comply with SOC 2 or equivalent. Current critical sub-processor: AWS (SOC 2 Type II, 99.99% SLA).

Employee security

Background checks, identity verification, and reference checks for all employees. Annual security awareness training. Secure coding training for engineers. Least-privilege access, monitored and revoked immediately on termination.

Your Audit Rights

You may review our SOC 2 audit report under NDA, request security documentation, conduct your own audits upon notice, and ask security questions during evaluation. Email security@rollio.ai with "Audit Request" in the subject.

Security Best Practices for Your Team

  • · Use strong passwords and MFA for Rollio console access.
  • · Regularly review and revise user permissions in source systems.
  • · Monitor Rollio agent activity logs.
  • · Keep source systems (Salesforce, SAP, etc.) current.
  • · Report any suspected issues to us immediately.

Ready to dig into the details?

Security team: security@rollio.ai