Skip to content

For IT, security, and the teams who report at scale

Built for the teams that report at scale.

SAML SSO, SCIM directory sync, BYOK encryption across four KMS providers, immutable hash-chained audit log, per-org data residency, custom-domain delivery. Every report under enterprise governance from day one.

  • GDPR
  • SAML SSO + OIDC
  • SCIM 2.0
  • BYOK encryption
  • Row-level security
  • Immutable audit log
  • EU-hosted

01

Identity & access

Plug into your IdP. We follow your security policy, not ours.

Rahoto speaks SAML 2.0, OIDC, and SCIM 2.0 out of the box. Verified domains can enforce SSO so password login is blocked. Conditional access policies (IP allowlists, domain-pinned MFA) attach at the org level. Break-glass admin grants are time-boxed and every action is signed into the audit log.

  • SAML 2.0 SSO

    Okta, Azure AD, Google Workspace, OneLogin, custom IdPs. JIT provisioning.

  • OIDC SSO

    Standard OIDC metadata discovery + JIT provisioning.

  • SCIM 2.0 directory sync

    Users, groups, role mapping. Per-org tokens hashed at rest (never plaintext).

  • Conditional access

    IP allowlists, enforced SSO per domain, session policies.

  • API keys with TTL

    Named keys, scoped permissions, expiration. Revocable from admin UI.

  • Break-glass admin

    Time-boxed emergency grants. Every action recorded. Reviewable in audit export.

02

Data security & residency

Your data stays where it lives. Encrypted with the key you control.

Rahoto sits on top of your warehouse — your data does not leave it unless a published report needs it. Field-level encryption with bring-your-own-key across AWS KMS, GCP Cloud KMS, HashiCorp Vault, or our platform default. Per-org data residency pins where compute and storage happen. Connections into networks you control are secured with client-certificate mTLS, with certificate material encrypted at rest per organisation — and a customer-VPC relay agent is in design with early partners, its enrollment contract and certificate pinning already built.

  • BYOK across 4 KMS providers

    AWS KMS, GCP Cloud KMS, HashiCorp Vault, or platform default. Per-org rotation.

  • Field-level encryption

    AES-256-GCM. Credentials, sensitive columns encrypted with your org key.

  • PII redaction

    Column classification, automatic masking in renders, logs, and audit events.

  • Data residency

    Primary + secondary regions per org. Provider allowlist enforced at the DB.

  • mTLS connector security

    Client-certificate mTLS on connections to your databases. Cert + key encrypted at rest, per-org.

  • FIPS mode

    Detected at boot. Enforceable per-environment. Required for GovCloud deploys.

03

Audit & evidence

Every action signed. Every chain verifiable. Every record exportable.

The audit log is append-only and hash-chained — each entry references the hash of the previous, making tamper impossible to hide. A daily integrity job walks the chain and alerts on any break. Publication changes, role changes, secret access, schedule edits, and data access all flow into the same log. GDPR data subject requests have a dedicated workflow. Continuous monitoring beacons emit to your SOC's Splunk-, Qualys-, or Tenable-compatible endpoint.

  • Hash-chained audit log

    Append-only. Daily integrity verification. Tamper-detection alerts.

  • 9 core audit event types

    Login, logout, password change, role change, quota override, publication, secret access, secret rotation, session revoke.

  • Publication audit trail

    Schedule, targets, variants, policies, retention — every change attributed and timestamped.

  • Data access log

    Field-level access tracking for auditors and DSR investigations.

  • GDPR Data Subject Requests

    Built-in workflow for export and deletion. Audited end-to-end.

  • Continuous monitoring

    FedRAMP-style CM-6 and CA-7 beacons to any Splunk HEC-, Qualys-, or Tenable-compatible webhook.

What ships in the box

Thirty-six enterprise capabilities. Already in production.

Every item below is shipped code — not roadmap. The links above point to the source documentation. Onboarding does not depend on us shipping anything new for you.

Authentication

  • SAML 2.0
  • OIDC
  • SCIM 2.0
  • Conditional access
  • API keys with TTL
  • Enforced SSO per domain

Authorization

  • RBAC · 5 roles
  • Per-resource permissions
  • PostgreSQL RLS
  • Org isolation
  • Workspace membership
  • Break-glass admin

Data security

  • BYOK · 4 providers
  • Field encryption
  • PII redaction
  • Secret rotation
  • FIPS mode
  • mTLS connector security

Audit & compliance

  • Hash-chained log
  • Audit export (JSON/CSV)
  • GDPR DSR workflow
  • Data access log
  • Continuous monitoring
  • Public Trust Portal

Operations

  • Per-org quotas
  • Custom domains
  • Delivery receipts
  • Cancellation control
  • Preflight gates
  • Org-level metrics

Reliability

  • Redis-backed shared state
  • Artifact recovery service
  • S3 versioned artifacts
  • Replay-on-reconnect
  • Periodic snapshots
  • Audit DR plan

Architecture at a glance

Sits on your stack. Doesn't replace it.

Rahoto reads from your warehouse or semantic layer, composes the report in our runtime, delivers it to your channels. Your data doesn't leave its home unless a published report needs it. Six trust boundaries documented and verified.

Read the full architecture (with trust boundaries, identity sources, key services, and operational hooks) in our public architecture document.

  1. 1Your warehouseSnowflake, BigQuery, Redshift, Postgres, SQL Server, Oracle…
  2. 2Semantic layer (yours, optional)dbt, Cube, Looker semantic models
  3. 3Rahoto runtimeCompose, validate, render, audit
  4. 4Delivery surfacesSlack, email, PDF, custom-domain viewer, embedded

Procurement

We can answer the questionnaire.

Contracts

  • Custom MSA on request
  • DPA template available on request
  • Net-30 / Net-60 / annual billing
  • Order forms via DocuSign

Pricing

  • Per-seat or platform pricing
  • Volume tiers above 50 seats
  • Annual prepay discount
  • Pilot pricing for design partners

Implementation

  • SSO + SCIM wired in your first session
  • BYOK configured before first production report
  • Custom-domain delivery in week one
  • Migration help from existing tools

Security questionnaire

Bring your runtime under enterprise control.

Talk to our enterprise team about your data perimeter, identity stack, and reporting calendar. We'll work out residency, BYOK, and SCIM mapping before you sign anything.

Prefer email? [email protected]