The model in one line
Roster is self-hosted and does not phone home. It reads your directory, resolves who, and writes an audit trail — all within your own network. There is no Roster cloud holding your data, no usage telemetry leaving your perimeter, and nothing to breach on our side because your data was never on our side.
Data residency & isolation
- Self-hosted, always. Roster ships as a single container (
advantys/roster) with embedded storage. It runs on-prem, in your private cloud, or in your public-cloud account — your choice, your infrastructure. - Your data stays put. Directory records, resolutions, audit history, and configuration live in your own mounted volume. Nothing is replicated to a vendor cloud.
- No phone-home. Roster does not transmit usage, telemetry, or directory data back to Advantys. License capacity is counted locally in your deployment.
- Air-gap capable. Roster can run fully disconnected from the public internet, paired with a model endpoint inside your network.
How Roster handles directory data
- Read-only at the source. Connectors (Microsoft Entra ID, Okta, Google Workspace, Workday, LDAP/LDAPS, CSV) read your directory. Roster never edits upstream accounts.
- Minimal by default. Raw provider payloads are not stored. Roster keeps only canonical fields it needs — display name, primary email, source ID, and explicitly allowlisted metadata.
- Cache-only sync. Scheduled refresh updates records you've already attached; it does not crawl or materialize your whole directory.
- Encrypted connector secrets. Outbound provider credentials are stored encrypted, under a key you control.
Authentication & access control
- SSO via your IdP. Microsoft Entra ID, Google, Okta, generic OAuth (OIDC), and SAML — human login runs through your identity provider.
- Scoped, least-privilege keys. API keys carry explicit
api:/mcp:scopes. Runtime access is the intersection of key scopes ∩ owner rights ∩ resource rules — a scope can never elevate the holder beyond their own permissions. - Authenticated by default. Production refuses unauthenticated MCP access; the bootstrap administrator must replace the default password with a strong one before the platform can be used.
- Roles & ownership. Admin, project owner, and member roles; project owners manage their own participants and delegations without central-IT bottlenecks.
Audit & observability
- Append-only audit log. Logins, key and identity changes, project, participant, delegation, connector, and settings events — a durable, admin-only history of who did what.
- Model-run observability. Every resolution records its provider, model, tokens, cost, and latency — no black-box decisions.
- Built for proof. Stable actor, resource, owner, and credential IDs make the trail explainable for compliance, by design.
Privacy & data minimization
- Write-time minimization. When a PII option is off, new records simply don't store that field — not "store then hide."
- Field-level PII controls. Choose what's retained across resolve results, audit metadata, model diagnostics, and worker journals; redact IP, user agent, and personal fields.
- Configurable retention. Independent retention windows for audit events, resolve requests, model runs, and journals — set the days that match your policy.
- Erasure support. A documented erasure path covers source records, response JSON, audit metadata, diagnostics, and journals for subject-deletion requests.
Deployment & operational security
- You control the perimeter. Terminate TLS at your load balancer or ingress; store secrets in your provider's secret manager; back up your data volume on your schedule.
- Bring your own model. Roster uses the LLM you configure (OpenAI, Anthropic, Mistral, or a gateway). Tokens are billed by your provider and never marked up; an allowlist constrains which models may run.
- Rate limiting. Built-in request and model-call rate limits protect the deployment.
- Standards-based errors. RFC 9457 problem responses across the API.
Compliance
- Your governance, your environment. Because Roster runs in your infrastructure under your IdP, it slots into the controls, retention, and residency requirements you already operate.
- SOC 2. Roster pursues SOC 2 certification to meet Enterprise customer requirements. If your procurement process requires it, talk to us — we'll align on scope and timing.
- Built by Advantys, makers of WorkflowGen — process automation trusted in production since 2003.
Reporting a vulnerability
Found something? Email security@advantys.com. We welcome responsible disclosure and will acknowledge your report.
Deploy it in your own environment.
The surest security review is running it yourself. Read the docs or talk to the team.