Security & compliance

Designed so the worst case is small.

Tokenization, key isolation, and least-privilege access are not bolted on — they are the substrate. A compromised analyst account leaks tokens, not customers.

Tokenize-at-ingest

Sensitive fields never land on the lake in cleartext. If an analyst dumps a table, they take tokens with them.

HSM-backed vault

Token keys live in FIPS 140-3 Level 3 HSMs. They never leave the boundary, and you can bring your own.

Zero-trust access

mTLS service identities and short-lived capabilities mean a stolen credential expires faster than an attacker can pivot.

Tenant isolation

Compute pools are not shared. Storage namespaces are not shared. Key material is not shared. Period.

Tamper-evident audit

Every read, reveal, policy change, and key rotation lands in a hash-chained ledger that can be replicated off-platform.

Compliance, day one

SOC 2 Type II, ISO 27001, HIPAA, PCI DSS, and GDPR controls mapped to specific platform behaviors — not just policies.

Threat model

We assume the analyst is the breach.

The traditional lake assumes everyone with a query client is well-behaved. rjbase.io assumes the opposite: every query is a potential exfiltration attempt, and the system is designed so that the worst outcome is a pile of meaningless tokens.

  • Compromised credentials cannot detokenize without a fresh justification
  • Bulk reveals trigger rate-limited approvals and notifications
  • Engine-level masking — no client-side enforcement to forget
  • All inter-service traffic is mTLS; nothing inside is “trusted”

Certifications & attestations

SOC 2 · Type II
ISO 27001
HIPAA
PCI DSS
GDPR
CCPA

Reports available under NDA. Email security@rjbase.io.

Now in private preview

Tokenize your data. Keep your governance.

Talk to our team about an evaluation cluster. We typically have engineering partnerships running inside two weeks.

Request access Read the docs