Security is the posture of the whole platform, the people who run it, and the organizations that use it. This page is honest about what we commit to, what we hold ourselves to, and what we won't trade away. Specific architecture, cipher choices, and vendor topology are shared under NDA on the founding call.
Last updated · 2026-05-28
Our security posture.
We treat security as a posture, not a checkbox. Three principles drive every architectural decision:
Minimum necessary access. Every account, every record, every privilege is scoped to the smallest possible footprint that still lets people do their jobs.
Defense in depth. No single control is allowed to be the only thing between an attacker and your data. Encryption, authentication, audit, network segmentation, and monitoring layer on top of each other.
Recoverability over uptime. "Up" is necessary but not sufficient. The harder commitment is "if something goes wrong, you get your data back and you know what happened."
Identity & access.
Every account in Rooted OS authenticates against a single identity service. There is no shared "admin" account, no shared password, and no implicit trust between modules.
Single sign-on across every module with hardened session storage.
Multi-factor authentication required for director, pastor, and Olive Root Tech admin roles.
Role-based access control with five distinct roles: Olive Root Tech Admin, Organization Admin, Staff Member, Family/Parent, Managed IT Client.
Per-record scoping. A staff member at one site cannot see records at another site, even within the same organization.
Same-day deset up when a staff member leaves; tracked in the activity log.
Data protection.
Protected records — pastoral care notes, child medical records, family contact details, financial records — are encrypted at rest with strong, industry-standard ciphers. Public content (the marketing website, public org pages) is intentionally not encrypted.
Data in motion uses modern transport-layer encryption end to end. We don't terminate TLS at intermediate proxies that re-encrypt with weaker ciphers.
What we won't encrypt: the activity log itself. Encrypting an activity log defeats its purpose — auditors and inspectors need to read it.
activity logging.
Every create, read, edit, export, and view on a protected record is logged with user, timestamp, IP, and the change that was made.
Append-only. No user — including Olive Root Tech admins — can edit or delete an audit-log entry.
Inspector-visible. Organization admins can export the activity log for state inspectors or external auditors. Cross-organization audit access requires explicit per-organization authorization.
Configurable retention per organization in the service agreement; seven years by default.
Backup & recovery.
The 3-2-1 rule, applied literally: three copies of every important record, two storage types, one geographically separated offsite.
Restore drill discipline. We run a full restore drill every quarter — pulling an offsite backup into a sandbox database and validating that the data actually restores correctly. We don't claim "backups work" without restoring from one. The most recent successful drill is recorded in our internal log.
Data residency.
All Rooted OS data lives in the United States. Application infrastructure, primary database, and offsite backups are all US-based. We do not currently offer EU or Canadian data residency.
If you're a US organization with cross-border families or members, the implications for your compliance posture are something we'll walk through on the founding call.
Assistant features & data sharing.
The workflow-aware assistant inside Rooted OS is scoped to a single organization's account. Protected records do not — and will not — train cross-organization models, embeddings, or fine-tunes.
Account-scoped context. The assistant sees only the requesting organization's data, never cross-org.
Protected records excluded from any model training pipeline, by architecture and by policy.
Auditable prompts. Every assistant query is logged in the activity log alongside the response.
Right to opt out. An organization can disable the assistant entirely from the admin dashboard.
Certifications & honest status.
We are explicit about what we hold and what we don't.
security operations 2 Type I path scoped. Targeted for completion after twelve months of founding-cohort operation.
security operations 2 Type II: follows Type I plus twelve months of evidence.
FERPA workflows: the platform is engineered to support FERPA-aligned workflows. No software vendor is "FERPA certified" — that designation does not exist.
HIPAA workflows: the platform is engineered to support HIPAA-aligned workflows. A Business Associate Agreement is available for healthcare-adjacent use cases.
PCI DSS: not applicable. We do not process card payments inside Rooted OS.
What we will not say: we will not claim "fully compliant" with any framework unless and until we hold the formal certification. Vendor compliance language is a major source of confusion for community institutions — we'd rather be a small honest line on your audit than a big asterisk.
Managed IT security.
On the Managed IT side, security shows up as network segmentation, device management, and credential discipline rather than software controls.
Network segmentation by default. Staff, guests, cameras, and building devices each get their own separate network. If a guest laptop gets infected, it cannot reach the staff network or your records.
Remote device management on every staff device before it touches your network. Lost or stolen devices are wiped remotely.
Centralized firewall & intrusion detection at the edge.
Same-day deset up when staff leave — productivity-suite account, device enrollment, network credentials.
You own the hardware. If you ever leave the Managed IT contract, you walk out with credentials, configuration documentation, and a working network. No kill-switches, no licensing locks.
Responsible disclosure.
If you've identified a vulnerability in Rooted OS, our website, or any system we manage: