Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rootkey.ai/llms.txt

Use this file to discover all available pages before exploring further.

ROOTKey is infrastructure for critical data integrity. Security is not a feature - it is the foundation of the product. This page documents the technical security controls, data handling practices, and compliance posture that underpin the platform.

Transport Security

All API communication is encrypted in transit using TLS 1.2 or higher. Connections using older TLS versions or plain HTTP are rejected at the network boundary.
ControlImplementation
ProtocolTLS 1.2+
Certificate authorityPublicly trusted CA
HSTSEnforced
HTTP → HTTPS redirectEnforced

Authentication and API Key Security

API keys are the authentication primitive for the ROOTKey API. Each key is:
  • Scoped to a specific workspace and environment (sandbox or live)
  • Non-recoverable after generation - store securely at creation time
  • Revocable at any time from the ROOTKey platform dashboard
  • Not transmitted in URLs - always sent as an HTTP header (x-api-key)
Recommendations for key management:
  • Store API keys as environment secrets or in a secrets manager (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault)
  • Never commit API keys to version control
  • Rotate keys on a defined schedule and immediately after any suspected exposure
  • Use separate keys for sandbox and production environments
  • Restrict key access to services that require it - do not share keys across applications

Data Security

Cryptographic integrity

Every data asset anchored through ROOTKey receives a SHA-256 hash of its content. This hash is written to the Polygon blockchain as part of the operation record. The hash is:
  • Computed on the original payload before any processing
  • Immutably recorded on-chain with a block timestamp
  • Independently verifiable by any party with access to the original data and blockchain

Data at rest

Off-chain data (used in RKP-2 and RKP-3) is stored with encryption at rest. Encryption keys are managed by ROOTKey’s key management infrastructure and are not accessible to end users or third parties.

Data residency

By default, ROOTKey’s cloud infrastructure processes and stores data within defined geographic regions. Enterprise clients with data residency requirements can select regional deployments or opt for on-premise deployment to retain full control over data location.

Personal data

ROOTKey’s API does not require personal data as part of its core operations. If personal data is submitted as part of a payload:
  • It is handled in accordance with the Privacy Policy
  • Clients are responsible for ensuring that personal data submitted via the API complies with applicable data protection regulations (GDPR, etc.)
  • For RKP-1 (Full On-Chain), personal data should not be written directly to the blockchain - use hashing patterns to ensure GDPR erasure compatibility

Blockchain Security

ROOTKey anchors records to the Polygon blockchain (Mainnet) - a public, permissionless blockchain secured by a distributed validator network.
PropertyValue
BlockchainPolygon (Mainnet)
ConsensusProof of Stake
Record immutabilityGuaranteed by blockchain consensus
Third-party verifiabilityAny party can verify via Polygonscan
Single point of failureNone - decentralised validator network
Records written to the blockchain cannot be altered, deleted, or suppressed by ROOTKey or any third party. Verification does not require trust in ROOTKey.

Zero-Trust Architecture

ROOTKey operates on a zero-trust model at the data layer:
  • Neither the data owner nor ROOTKey can alter a record once it has been anchored
  • Validation is performed against the on-chain proof - not against ROOTKey’s internal systems
  • For RKP-1, verification requires no ROOTKey infrastructure at all
This means ROOTKey’s availability, continuity, or trustworthiness does not affect the verifiability of previously anchored records.

Compliance Posture

FrameworkStatus
NIS2 DirectiveAlignment in progress
ISO 27001Certification in progress
GDPRCompliant - see Privacy Policy
eIDASApplicable for qualified electronic evidence workflows
ROOTKey is actively pursuing NIS2 alignment and ISO 27001 certification. Compliance documentation, architecture diagrams, and security questionnaire responses are available to enterprise clients under NDA. Contact contact@rootkey.ai to request security documentation.

Penetration Testing and Security Reviews

ROOTKey conducts regular internal security reviews. Enterprise clients may request security documentation including:
  • Architecture diagrams and data flow maps
  • Security questionnaire responses (SIG Lite, CAIQ, or custom)
  • Evidence of security controls for vendor risk assessments
Contact contact@rootkey.ai to initiate a security review.

Responsible Disclosure

If you discover a security vulnerability in ROOTKey’s platform or API, please report it responsibly: Email: security@rootkey.ai We ask that you:
  • Report vulnerabilities privately before public disclosure
  • Allow reasonable time for investigation and remediation
  • Avoid accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate the vulnerability
We commit to acknowledging reports within 5 business days and providing a resolution timeline within 15 business days.

Privacy Policy

How ROOTKey collects, uses, and protects personal information.

Terms and Conditions

Terms governing use of ROOTKey products and APIs.

Disclaimer

Limitations of liability and permitted use.

Cookies Policy

How ROOTKey uses cookies and similar technologies.