Bring Your Own Key (BYOK)
raum does not process your customer data through our AI accounts. When you connect an OpenAI, Anthropic, or Google Gemini account, you provide your own API key. Your ticket data flows from Zendesk through raum’s processing pipeline — where PII is masked — and then directly to your AI provider. It never transits through a raum-owned AI account. This means your AI provider’s data policies apply directly to your data, and you maintain a direct relationship with the provider you’ve chosen.Your AI API keys are encrypted at rest using AES-256-GCM via AWS KMS before storage. They are never stored in plaintext.
PII redaction
Before any ticket content is sent to the AI, raum automatically detects and replaces personally identifiable information with placeholders. The AI receives[REDACTED_NAME] instead of a customer’s name, [REDACTED_EMAIL] instead of an email address, and so on. The original values are held in memory during the processing pipeline and restored in the final reply — so the AI’s response reads naturally, but the AI itself never processed the raw personal data.
Redaction also applies to logs. Personal information that appears in ticket content is masked in raum’s audit logs, so sensitive customer details don’t appear in plain text in your log storage.
What gets masked:
- Names
- Email addresses
- Phone numbers
- Credit card numbers
- Other common PII patterns
Encryption at rest
All credentials, API keys, and sensitive configuration stored in raum are encrypted using AES-256-GCM, managed through AWS KMS. Encryption keys are rotated automatically on a regular schedule with no service interruption. Access to KMS operations is controlled by strict IAM policies following least-privilege principles.AES-256-GCM
The encryption standard used by banks and governments. Applied at the field level to credentials and API keys.
Automatic key rotation
Encryption keys are rotated on a schedule managed by AWS KMS. You don’t need to manage this manually.
Data isolation
Every customer’s data is isolated at the database level. Your procedures, knowledge base, analytics, API keys, and configuration are stored and queried under your organization ID. No query crosses account boundaries. There is no shared data pool between customers. This isolation is enforced at the application layer — every data access in raum requires anorganizationId filter — and at the infrastructure layer through separate database namespacing.
Audit trail
Every action taken in raum is logged. The audit trail covers:- AI operations: every response generated, translation performed, ticket resolved, or grammar correction applied
- Admin actions: settings changes, user modifications, API key rotations, and permission changes
- Data access: every authenticated request, with the source IP address recorded
Admin impersonation — where an admin acts on behalf of another user — is fully logged with the impersonating admin’s identity recorded alongside the action.
Role-based access control (RBAC)
raum enforces role-based access control across all accounts. Different roles have different levels of access to configuration, analytics, user management, and sensitive operations. Roles are assigned per user within your organization. Access to sensitive operations — including simulation mode, API key management, and user impersonation — is restricted to organization admins.Authentication
- API key authentication: Bearer token authentication at the organization level, used by the Zendesk app and API integrations
- JWT tokens: Session management for dashboard access, with standard expiry and refresh controls
- Domain whitelist: You can restrict which domains are permitted to make API calls on behalf of your organization