For IT, security, and the teams who report at scale
Built for the teams that report at scale.
SAML SSO, SCIM directory sync, BYOK encryption across four KMS providers, immutable hash-chained audit log, per-org data residency, custom-domain delivery. Every report under enterprise governance from day one.
- GDPR
- SAML SSO + OIDC
- SCIM 2.0
- BYOK encryption
- Row-level security
- Immutable audit log
- EU-hosted
SAML 2.0 SSO
Okta, Azure AD, Google Workspace, OneLogin, custom IdPs. JIT provisioning.
OIDC SSO
Standard OIDC metadata discovery + JIT provisioning.
SCIM 2.0 directory sync
Users, groups, role mapping. Per-org tokens hashed at rest (never plaintext).
Conditional access
IP allowlists, enforced SSO per domain, session policies.
API keys with TTL
Named keys, scoped permissions, expiration. Revocable from admin UI.
Break-glass admin
Time-boxed emergency grants. Every action recorded. Reviewable in audit export.
Architecture & trust boundaries → · STRIDE threat model → · Remediation SLAs →
02
Data security & residency
Your data stays where it lives. Encrypted with the key you control.
Rahoto sits on top of your warehouse — your data does not leave it unless a published report needs it. Field-level encryption with bring-your-own-key across AWS KMS, GCP Cloud KMS, HashiCorp Vault, or our platform default. Per-org data residency pins where compute and storage happen. Connections into networks you control are secured with client-certificate mTLS, with certificate material encrypted at rest per organisation — and a customer-VPC relay agent is in design with early partners, its enrollment contract and certificate pinning already built.
BYOK across 4 KMS providers
AWS KMS, GCP Cloud KMS, HashiCorp Vault, or platform default. Per-org rotation.
Field-level encryption
AES-256-GCM. Credentials, sensitive columns encrypted with your org key.
PII redaction
Column classification, automatic masking in renders, logs, and audit events.
Data residency
Primary + secondary regions per org. Provider allowlist enforced at the DB.
mTLS connector security
Client-certificate mTLS on connections to your databases. Cert + key encrypted at rest, per-org.
FIPS mode
Detected at boot. Enforceable per-environment. Required for GovCloud deploys.
Sub-processor list → · Architecture & trust boundaries → · STRIDE threat model →
03
Audit & evidence
Every action signed. Every chain verifiable. Every record exportable.
The audit log is append-only and hash-chained — each entry references the hash of the previous, making tamper impossible to hide. A daily integrity job walks the chain and alerts on any break. Publication changes, role changes, secret access, schedule edits, and data access all flow into the same log. GDPR data subject requests have a dedicated workflow. Continuous monitoring beacons emit to your SOC's Splunk-, Qualys-, or Tenable-compatible endpoint.
Hash-chained audit log
Append-only. Daily integrity verification. Tamper-detection alerts.
9 core audit event types
Login, logout, password change, role change, quota override, publication, secret access, secret rotation, session revoke.
Publication audit trail
Schedule, targets, variants, policies, retention — every change attributed and timestamped.
Data access log
Field-level access tracking for auditors and DSR investigations.
GDPR Data Subject Requests
Built-in workflow for export and deletion. Audited end-to-end.
Continuous monitoring
FedRAMP-style CM-6 and CA-7 beacons to any Splunk HEC-, Qualys-, or Tenable-compatible webhook.
Remediation SLAs → · Architecture & trust boundaries → · All compliance documents →
What ships in the box
Thirty-six enterprise capabilities. Already in production.
Every item below is shipped code — not roadmap. The links above point to the source documentation. Onboarding does not depend on us shipping anything new for you.
Authentication
- SAML 2.0
- OIDC
- SCIM 2.0
- Conditional access
- API keys with TTL
- Enforced SSO per domain
Authorization
- RBAC · 5 roles
- Per-resource permissions
- PostgreSQL RLS
- Org isolation
- Workspace membership
- Break-glass admin
Data security
- BYOK · 4 providers
- Field encryption
- PII redaction
- Secret rotation
- FIPS mode
- mTLS connector security
Audit & compliance
- Hash-chained log
- Audit export (JSON/CSV)
- GDPR DSR workflow
- Data access log
- Continuous monitoring
- Public Trust Portal
Operations
- Per-org quotas
- Custom domains
- Delivery receipts
- Cancellation control
- Preflight gates
- Org-level metrics
Reliability
- Redis-backed shared state
- Artifact recovery service
- S3 versioned artifacts
- Replay-on-reconnect
- Periodic snapshots
- Audit DR plan
Architecture at a glance
Sits on your stack. Doesn't replace it.
Rahoto reads from your warehouse or semantic layer, composes the report in our runtime, delivers it to your channels. Your data doesn't leave its home unless a published report needs it. Six trust boundaries documented and verified.
Read the full architecture (with trust boundaries, identity sources, key services, and operational hooks) in our public architecture document.
- 1Your warehouseSnowflake, BigQuery, Redshift, Postgres, SQL Server, Oracle…
- 2Semantic layer (yours, optional)dbt, Cube, Looker semantic models
- 3Rahoto runtimeCompose, validate, render, audit
- 4Delivery surfacesSlack, email, PDF, custom-domain viewer, embedded
Procurement
We can answer the questionnaire.
Contracts
- Custom MSA on request
- DPA template available on request
- Net-30 / Net-60 / annual billing
- Order forms via DocuSign
Pricing
- Per-seat or platform pricing
- Volume tiers above 50 seats
- Annual prepay discount
- Pilot pricing for design partners
Implementation
- SSO + SCIM wired in your first session
- BYOK configured before first production report
- Custom-domain delivery in week one
- Migration help from existing tools

Bring your runtime under enterprise control.
Talk to our enterprise team about your data perimeter, identity stack, and reporting calendar. We'll work out residency, BYOK, and SCIM mapping before you sign anything.
Prefer email? [email protected]