Security through architecture, not badges.

We are a small vendor without a certification wall — yet. So instead we explain exactly how the system is built, what protects your data, and what we don’t have. Regulated buyers deserve the real picture.

Architecture

Most of ROPARC’s security properties are structural — they come from how the system stores and isolates data, not from a checklist applied afterwards.

One process per organization

Each organization runs in its own backend process with its own data directory. There is no shared application process between tenants: a request for your organization is only ever handled by your organization’s process, and that process can only see your organization’s data directory. Each process also gets its own randomly generated session-signing secret at spawn time.

Git is the source of truth

Every requirement, document, link, review, and baseline is a commit in a real Git repository. Git’s content-addressed history makes the audit trail tamper-evident by construction: changing a past record changes every commit hash after it. History and baselines are not a logging feature we added — they are how the data is stored.

Databases are derived, not authoritative

SQLite and DuckDB serve queries, but they are indexes built from the Git repositories. They can be wiped and rebuilt from Git at any time without data loss. A corrupted index is an inconvenience, not an incident.

Your data, your exit

Your data lives in standard Git repositories containing plain-text files. That is not an export format we maintain on the side — it is the primary storage. You can take a full copy of your repositories at any time, read them with ordinary tools, and keep complete history including every change and who made it.

If you leave, you leave with everything. There is no proprietary database to extract from and no per-record export API to script against. This also aligns with the EU Data Act’s requirements on switching between data processing services: portability is a property of the architecture, not a contractual promise.

Authentication & access control

Passwords

Stored as bcrypt hashes. We never store or log plaintext passwords.

Sessions

Signed JSON Web Tokens with an expiry. No long-lived ambient sessions.

Organization roles

Membership and role are checked at the platform edge before a request reaches your organization’s process.

Workarea RBAC

Inside an organization, permissions are flat resource:verb grants (e.g. items:edit) assigned per workarea role. Grants can carry a query predicate, so a role can be scoped to exactly the items it should touch — not just “all or nothing”.

Workflow guards

Status changes go through workflow transitions, which can carry guards that block invalid moves. There is no edit-form back door around your process.

Single sign-on & SCIM

Organizations can authenticate through OpenID Connect (OIDC) single sign-on and provision users automatically with SCIM 2.0, configured per organization. Email-and-password remains available alongside it.

Hosting & data residency

ROPARC is operated by a Swedish company and hosted on Hetzner Online infrastructure in Finland. Customer data stays in the EU/EEA. The third parties we use — and exactly what data each one touches — are listed on the sub-processor page; processing terms are in our Data Processing Addendum, which applies to every plan.

What we don’t have yet

We publish this list because regulated buyers deserve to know it before they ask. If something here matters for your procurement, tell us — it directly affects our priorities.

SOC 2 / ISO 27001 certification

Planned, not started

We intend to pursue certification as the company grows. Today you get this page, our architecture, and direct answers from the engineers who built it — not an auditor’s letter.

External penetration test

Planned before GA

An independent security firm will test the platform before general availability. We will share a summary of the results with customers under NDA.

Isolation hardening

Ongoing

Process-per-organization is the foundation; additional OS-level tenant isolation hardening (per-process resource limits and sandboxing) is planned as we scale.

Responsible disclosure

Found a vulnerability? Email [email protected]. We commit to acknowledging your report within 72 hours.

We will not take legal action against good-faith security research. Test against your own data, don’t access other customers’ data, and give us reasonable time to fix what you find — we’ll handle the rest, and we’ll credit you if you want.