Zero trust at every layer. Full audit chain. Your infrastructure.
For CISOs, InfoSec reviewers, and enterprise procurement teams. Controls available today versus roadmap are called out explicitly throughout.
Data isolation
Hard tenant-namespace partitioning at every layer.
Multi-tenant architecture enforces isolation at the signaling server, storage adapter, worker supervisor, and Admin API — not just at the application boundary.
- Room namespace Every room ID is prefixed with tenantId, enforced by the signaling server. Cross-tenant join is rejected even with a valid token.
- Storage Chat history, audit logs, and session records in tenant-scoped collections or table-prefixed schemas (MongoDB, Postgres, or schema-per-tenant).
- Worker isolation AI workers are scoped to a single room. The supervisor API validates tenant match before spawning.
- Admin API Cross-tenant queries blocked even for admin tokens without an explicit scope: "global" claim — Enterprise-only.
Transport encryption
All real-time media protected by the WebRTC security stack.
End-to-end encryption
Application-layer E2EE via Insertable Streams / Encoded Transform.
Chromium 94+ and Edge 94+ supported. Safari support is partial — verify before committing to E2EE for mobile-web scenarios.
FrameEncryptionTransform encrypts encoded frames before packetization using AES-GCM with a caller-supplied key.
The SFU routes encrypted packets but has no access to application-layer keys. TomatoRTC infrastructure cannot decrypt E2EE media.
Frame transform layer is shipped. Full key distribution protocol (MLS or DH ratchet) is on the roadmap — not yet in platform. Integrators supply their own out-of-band key exchange today.
Auth & authz
Bring your own identity. Authorization enforced at the handler, not just admission.
TomatoRTC validates tokens — it does not issue or store identities. Supported: HS256 (dev), RS256 JWKS (production), OIDC discovery for automatic key rotation.
Token claims: sub, iss, aud, exp, tenantId, roomId (optional pre-bound), role (host | participant | observer), capabilities[]. No identity storage on TomatoRTC servers.
Enforced at signaling message handler level. A participant token cannot call publishScreen if room policy disables screenshare. Admin API requires a separate admin-scoped token. Short-link tokens are single-use and revocable via Admin API.
Audit logging
All significant platform events logged to a tamper-evident audit chain.
Hash-linked records make truncation or modification detectable. Export adapters support Splunk, generic webhook, and OpenTelemetry.
- Hash chain Each record carries a SHA-256 hash linking to the prior record. Truncation or modification breaks the chain verifiably.
- Events logged Room create/join/leave/destroy · Participant publish/subscribe · Admin API calls · Token validation failures · TURN allocation events · AI worker spawn/teardown.
- SIEM export NDJSON via GET /admin/audit/export · Splunk HEC and generic webhook adapters included · OpenTelemetry spans emitted for all server actions.
- Redaction Support bundle exports strip tokens, auth headers, TURN secrets, and HMAC credentials before logs leave the client footprint.
Network & deployment hardening
Deployment controls available today, proposed, and out of scope.
Compliance & pen testing
Compliance evidence, data residency, and pen-test coordination.
TomatoRTC software does not transmit customer data to TomatoRTC servers — all data stays in your deployment.
TomatoRTC does not currently hold SOC 2 certification. Compliance add-on (+$35k/yr) provides SOC 2 evidence kit, hardened templates, and pen-test coordination — see certification readiness deck.
TomatoRTC software does not transmit customer data to TomatoRTC servers. For managed deployments, region selection and data residency configuration are your responsibility.
Enterprise license holders can arrange guided penetration testing against a dedicated test environment. Contact your TAM to schedule.
Security contact
Coordinated disclosure. 90-day policy. 7-day target for critical issues.
- Report to security@tomatortc.com — include affected version, reproduction steps, and impact assessment.
- Disclosure policy 90-day coordinated disclosure window. We work with reporters to validate and patch before public disclosure.
- Critical patch target 7 business days from confirmed critical vulnerability report to patch release.
Next steps
Start your security review.
- 1 Review your threat model
Map your specific controls requirements against the hardening table on Slide 7.
- 2 Request the compliance evidence kit
Available with the SOC 2 add-on (+$35k/yr) — includes hardened deployment templates and pen-test coordination.
- 3 Schedule a security review call
Enterprise license holders get TAM-guided pen-test access against a dedicated test environment.