Security Architecture: Isolation, Encryption, and Control at Every Layer

Rilo isolates every organization's data, encrypts credentials, and enforces execution boundaries by default, not by configuration.

Jump to Architecture ↓

Security Architecture

Org Isolation

Your identifiable data is never accessible to other organizations. Rilo can learn across customers only through anonymized representations. Your raw data, task context, and credentials remain strictly org-scoped. Access failures default to blocking, not leaking.

Technical details

All identifiable data is partitioned by a 132-bit entropy identifier per organization. Access and routing failures are handled fail-closed: the system blocks entirely rather than falling back to a less-restricted state. Any cross-org learning uses anonymized, non-attributable representations. Raw customer data never crosses org boundaries.

Encryption

All data encrypted at rest and in transit. Credentials stored in AWS Secrets Manager with per-org secret references, never in plaintext.

Technical details

Credentials are stored in a dedicated secrets vault with AES-256 encryption, HSM-backed key management, and a cryptographic audit trail on every access event. Each organization's secrets are stored under isolated references. Access to one reveals nothing about another.

Prompt Injection Defense

LLM outputs are never executed directly. Tool calls are parsed and validated against a strict schema before dispatch. The model is a planner, not an executor.

Technical details

Tool parameters are typed and schema-validated before any execution occurs. Model-generated content is treated as untrusted input throughout the execution pipeline. No LLM output reaches external systems without passing through structured validation.

Capability Control Layer

Every task runs within an explicit capability envelope. Allowed tool lists and domain blocklists constrain each execution context. Blocked entries always win over allowed entries.

Technical details

Deny rules take unconditional precedence over allow rules. Per-org capability configuration lets customers restrict Rilo's operational scope to only the systems they've explicitly authorized. Enforcement happens centrally in the execution layer so it cannot be bypassed by individual tools.

Credential Handling

Rilo uses invite flows and self-registration to acquire credentials. Credentials are scoped per org and never shared.

Audit Logging

Tool executions and credential access are logged with org context. Structured audit trails support compliance review and incident investigation.

Browser Session Isolation

Browser sessions are never reused across orgs. Each task gets an isolated session with circuit-breaker protection for provider failover.

Data Flow & Isolation

Every task flows through isolated execution contexts with strict org boundaries at every layer.

Customer Request

Slack

Webhook API

Ingress Layer

Signature Check

Org Lookup

Tenant Gate

Execution Layerorg isolation

Planner

Node Runner

Tool Executor

Capability Gate

Memory Store

Encrypted at rest
Org-specific data isolated
Shared learning anonymized

Tool Sessions

Scoped to each task
Never reused across orgs
Circuit-breaker protected

Audit Log

Tool runs

Credential access

Org context

Need More Details?

Request a security questionnaire response or architecture whitepaper for your compliance review.

Contact Sales Request Security Documentation