Rootd
Book a demo

Product / Security

Trust & security

Built multi-tenant from the first query.

Confidence comes from boundaries you can verify — tenant isolation, observability, and honest data states, designed in rather than bolted on.

Book a demo See the platform
TENANT · NORTHWIND
scoped twin store
query engineevery query tenant-scoped
TENANT · VOLTGRID
scoped twin store
Tenant-scopedevery single query
Auditedreads carry a trail
Stale-modeledloss is a state
Boundedno cross-tenant path

The boundaries

Six guarantees, designed in.

Tenant isolation

Every operator's twin lives in its own scope. One tenant's data is never reachable from another tenant's context.

Bounded queries

Every query is tenant-scoped at the boundary — there is no query path that spans tenants, by construction.

Observability

Ingestion, freshness, and twin state are monitored end-to-end, so degradation is seen, not discovered later.

Audited reads

Reads against the twin carry an audit trail — who read what, when, and in which tenant scope.

Data integrity

A dropped feed becomes a stale or offline state; the twin holds last-known values rather than vanishing.

Modeled connectivity

Connectivity is a designed state — online / stale / offline — never an error badge papering over missing data.

Isolation

No path between tenants.

Isolation isn't a setting you toggle — it's the shape of the query layer.

Multi-tenant by design

Each tenant, its own scope.

The query engine binds to a single tenant at the boundary. There is no supported path that reads across tenants — isolation holds because the alternative simply isn't expressible.

  • Per-tenant data scope
  • Boundary-enforced, not policy-only
  • Audited on every read
TENANT · NORTHWIND
scoped twin store
query engineevery query tenant-scoped
TENANT · VOLTGRID
scoped twin store
IsolationPer-tenant scope on every query; no cross-tenant path exists.
ReadsAudited and bounded; scoped to the calling tenant's context.
ConnectivityModeled as online / stale / offline, not dropped.
On feed lossTwin retains last-known state; freshness is surfaced.
Honest about gaps. When connectivity is lost, Rootd models it as stale or offline and keeps the last-known twin state — it never silently drops data or hides the gap behind an error.

Verify the boundaries before you trust the signal.

We'll walk your team through tenant isolation, audit trails, and data integrity.

Book a demo Read the docs