Last Updated: August 5th, 2025
At Rome, safeguarding customer data is a core responsibility. We implement industry-leading security practices to ensure the confidentiality, integrity, and availability of our systems and the data entrusted to us. This document outlines how we handle data storage, encryption, and compliance.
Data Storage
- Infrastructure: Customer data is stored in Amazon Web Services (AWS) S3 and DynamoDB, with encryption enforced both at rest and in transit.
- Tenant Isolation: Each customer’s data is isolated in a dedicated AWS account. These environments are secured according to CIS Benchmarks and are regularly assessed by independent third parties.
- Access Control: Access to stored data is restricted to Rome’s compute services and, in exceptional cases, authorized personnel. All access is authenticated and tightly scoped to minimize exposure.
- Audit & Monitoring: All data access is logged. Unexpected or suspicious access attempts trigger immediate alerts to our Data Protection Officer. If necessary, access can be revoked in real time, and customers are notified promptly.
- Data Handling: Customer data is never shared, reused, or used to train models for other customers. Each customer retains exclusive control over their data and its usage.
Encryption
- At Rest: Data is encrypted at rest using strong, industry-standard algorithms and per-customer encryption keys managed by AWS KMS.
- In Transit: All data in transit is encrypted using secure protocols (TLS/SSL). Communications between internal systems, customer endpoints, and storage services are secured end-to-end.
Compliance
- SOC 2 Type II: Rome is in full compliance with SOC 2 Type II requirements. This rigorous security framework demonstrates our adherence to rigorous controls around security, availability, and confidentiality. Contact us to receive more documentation.
- GDPR & International Data Transfers: Rome supports full compliance with GDPR. For international data transfers, we are certified under the U.S. Department of Commerce’s Data Privacy Framework, ensuring adequacy for personal data from the EU, UK, and Switzerland. This framework guarantees that our U.S.-based processing meets or exceeds the data protection standards of those jurisdictions. Contact us to receive more documentation.
We continuously monitor and evolve our security posture to stay ahead of emerging threats. Our security team conducts regular assessments, penetration tests, and vulnerability scans to proactively detect and remediate risks.
For further information, please contact our security team at [email protected].
List of Authorized Subprocessors
| Company |
Description |
Country (where subprocessing takes place) |
| Amazon Web Services, Inc. (AWS) |
Cloud Infrastructure |
United States |
| Google Cloud |
Cloud Infrastructure – Alternative |
United States |
| Microsoft Azure |
Cloud Infrastructure – Alternative |
United States |
| Cloudflare, Inc. |
Web Application Security |
United States |
| OpenAI, LLC |
Artificial Intelligence |
United States |
| Anthropic PBC |
Artificial Intelligence |
United States |
| Functional Software, Inc. (Sentry) |
Error Monitoring |
United States |
| PostHog, Inc. |
Product Analytics |
United States |
| Intercom, Inc. |
Customer Support |
United States |
| Reducto, Inc. |
Optical Character Recognition |
United States |
| Twilio, Inc. |
Communication Services |
United States |