TomatoRTC

Zero trust at every layer. Full audit chain. Your infrastructure.

For CISOs, InfoSec reviewers, and enterprise procurement teams. Controls available today versus roadmap are called out explicitly throughout.

Data isolation Transport encryption Auth & authz Audit logging Network hardening

Data isolation

Hard tenant-namespace partitioning at every layer.

Multi-tenant architecture enforces isolation at the signaling server, storage adapter, worker supervisor, and Admin API — not just at the application boundary.

  • Room namespace Every room ID is prefixed with tenantId, enforced by the signaling server. Cross-tenant join is rejected even with a valid token.
  • Storage Chat history, audit logs, and session records in tenant-scoped collections or table-prefixed schemas (MongoDB, Postgres, or schema-per-tenant).
  • Worker isolation AI workers are scoped to a single room. The supervisor API validates tenant match before spawning.
  • Admin API Cross-tenant queries blocked even for admin tokens without an explicit scope: "global" claim — Enterprise-only.

Transport encryption

All real-time media protected by the WebRTC security stack.

Layer
Mechanism
Notes
ICE connectivity
STUN/TURN with RFC 7675 consent refresh
Credentials short-lived, tenant-scoped, and metered per allocation
Key exchange
DTLS 1.2/1.3 with ECDHE
Fingerprint verified — no unauthenticated DTLS accepted
Media frames
SRTP with AES-128-CM
Derived per-session from DTLS handshake
Signaling channel
WSS (TLS 1.2+ required)
HTTP → HTTPS redirect enforced in all example configurations

End-to-end encryption

Application-layer E2EE via Insertable Streams / Encoded Transform.

Chromium 94+ and Edge 94+ supported. Safari support is partial — verify before committing to E2EE for mobile-web scenarios.

Frame transform

FrameEncryptionTransform encrypts encoded frames before packetization using AES-GCM with a caller-supplied key.

SFU transparency

The SFU routes encrypted packets but has no access to application-layer keys. TomatoRTC infrastructure cannot decrypt E2EE media.

Key distribution Roadmap

Frame transform layer is shipped. Full key distribution protocol (MLS or DH ratchet) is on the roadmap — not yet in platform. Integrators supply their own out-of-band key exchange today.

Auth & authz

Bring your own identity. Authorization enforced at the handler, not just admission.

TomatoRTC validates tokens — it does not issue or store identities. Supported: HS256 (dev), RS256 JWKS (production), OIDC discovery for automatic key rotation.

Identity — BYO IdP

Token claims: sub, iss, aud, exp, tenantId, roomId (optional pre-bound), role (host | participant | observer), capabilities[]. No identity storage on TomatoRTC servers.

Authorization — RBAC

Enforced at signaling message handler level. A participant token cannot call publishScreen if room policy disables screenshare. Admin API requires a separate admin-scoped token. Short-link tokens are single-use and revocable via Admin API.

Audit logging

All significant platform events logged to a tamper-evident audit chain.

Hash-linked records make truncation or modification detectable. Export adapters support Splunk, generic webhook, and OpenTelemetry.

  • Hash chain Each record carries a SHA-256 hash linking to the prior record. Truncation or modification breaks the chain verifiably.
  • Events logged Room create/join/leave/destroy · Participant publish/subscribe · Admin API calls · Token validation failures · TURN allocation events · AI worker spawn/teardown.
  • SIEM export NDJSON via GET /admin/audit/export · Splunk HEC and generic webhook adapters included · OpenTelemetry spans emitted for all server actions.
  • Redaction Support bundle exports strip tokens, auth headers, TURN secrets, and HMAC credentials before logs leave the client footprint.

Network & deployment hardening

Deployment controls available today, proposed, and out of scope.

Control
Available
Notes
TLS for all endpoints
HTTPS/WSS with cert injection; HTTP redirect middleware included
CORS origin allowlist
Configurable per-tenant in signaling server env
Rate limiting
Per-IP join rate and message rate cap via env
TURN relay enforcement
FORCE_RELAY=true; per-room ICE policy override via Admin API
Kubernetes network policy
Example NetworkPolicy manifests in deploy/kubernetes/
Air-gap / offline licensing
WASM validator works offline — no license server call required
mTLS for internal services
Proposed
Cross-service mTLS on roadmap; manual cert injection supported now
FIPS 140-2 crypto mode
Not in scope
Native WebCrypto / Node crypto used; FIPS build variant not offered

Compliance & pen testing

Compliance evidence, data residency, and pen-test coordination.

TomatoRTC software does not transmit customer data to TomatoRTC servers — all data stays in your deployment.

SOC 2

TomatoRTC does not currently hold SOC 2 certification. Compliance add-on (+$35k/yr) provides SOC 2 evidence kit, hardened templates, and pen-test coordination — see certification readiness deck.

GDPR / data residency

TomatoRTC software does not transmit customer data to TomatoRTC servers. For managed deployments, region selection and data residency configuration are your responsibility.

Pen-test coordination

Enterprise license holders can arrange guided penetration testing against a dedicated test environment. Contact your TAM to schedule.

Security contact

Coordinated disclosure. 90-day policy. 7-day target for critical issues.

  • Report to security@tomatortc.com — include affected version, reproduction steps, and impact assessment.
  • Disclosure policy 90-day coordinated disclosure window. We work with reporters to validate and patch before public disclosure.
  • Critical patch target 7 business days from confirmed critical vulnerability report to patch release.

Next steps

Start your security review.

  1. Review your threat model

    Map your specific controls requirements against the hardening table on Slide 7.

  2. Request the compliance evidence kit

    Available with the SOC 2 add-on (+$35k/yr) — includes hardened deployment templates and pen-test coordination.

  3. Schedule a security review call

    Enterprise license holders get TAM-guided pen-test access against a dedicated test environment.