Compliance and certifications
| Standard | Status |
|---|---|
| ISO/IEC 27001:2022 | Certified. Covers infrastructure, applications, systems, and data handling. |
| GDPR | Fully compliant. A Data Processing Agreement (DPA) is signed with every customer. |
| HIPAA | Compliant. Business Associate Agreements (BAA) are available on request. |
| CCPA | Compliant. Realm acts as a service provider and does not sell or share customer data. |
| EU AI Act | Classified as a Limited Risk system. |
Data residency and encryption
All customer data can be stored and processed within the EU, on Google Cloud Platform infrastructure in Finland (europe-north1) and the Netherlands (europe-west4). Geo-redundant backups are stored in the Netherlands.
| Protection | Standard |
|---|---|
| Encryption in transit | TLS 1.2 or higher for all communication |
| Encryption at rest | AES-256 or better, managed via GCP. API keys are additionally AES-256 encrypted before storage. |
AI models and data privacy
By default, Realm uses a mix of US and EU based large language models. On request, we can configure your environment to use EU-only language models. Realm uses private, enterprise-grade LLM endpoints with zero-data-retention policies. Customer data is never used to train, develop, or improve any AI models.Permission model
Realm’s search is permission-aware. For sources like Slack, Google Drive, and SharePoint, Realm syncs the full permission structure, including nested groups and role-based access. Users can only see search results and chat responses based on data they should have access to in the original system. Due to API limitations, some data sources, such as HubSpot and Notion, use user-level access checks (i.e. the user has a matching account) rather than document-level permissions. See the Permissions section in the data sources guide for details.Access control
Authentication
Realm supports multiple sign-in methods. See Login Methods for details.| Method | Description |
|---|---|
| Google SSO | OAuth sign-in with Google |
| Microsoft SSO | OAuth sign-in with Microsoft |
| SAML 2.0 | Enterprise SSO through your identity provider |
| Email and password | Standard email-based sign-in |
Roles
Every user is assigned a role that determines what they can see and do. Roles are managed on the Users page.| Role | Access level |
|---|---|
| Admin | Full access to all features and settings |
| Full Member | All features except admin settings |
| Collaborator | Chat, search, and RFP editing only |
Session management
Admins can force sign out individual users from the Users page. Organization-wide session policies (automatic session expiration and idle timeouts) are available on request. Contact support@withrealm.com to configure these.API token security
API tokens are scoped and can be set to expire on a specific date. By default, only admins can create and manage tokens. See API Keys for details.Data retention
Customer data is retained for the duration of the customer relationship. Upon contract termination, all data is erased. You can also request deletion of specific data on demand, which is purged from indexes within an hour. Encrypted backups are retained for up to 90 days after termination before being automatically deleted.Infrastructure
Realm runs on Google Cloud Platform (GCP). Backend systems, databases, and search indexes are not publicly accessible. The architecture uses VPC peering for secure database access and network policies within Kubernetes to isolate internal traffic. A managed Web Application Firewall (WAF) is in place. Realm undergoes annual third-party penetration testing and quarterly internal security audits, and uses continuous vulnerability scanning on its codebase.Deployment models
| Model | Description |
|---|---|
| Single-tenant | Dedicated infrastructure with isolated application servers, databases, and search indexes. Available for enterprise customers. |
| Multi-tenant | Strict logical separation of customer data using unique customer identifiers. |
Incident response
Realm has a documented incident response framework adapted from NIST and SANS guidelines. In the event of a data breach, Realm notifies the affected customer without undue delay.For security questions or to request documentation (DPA, BAA, penetration test reports), contact support@withrealm.com or visit our Drata trust center.