Software security R-THYM cloud compliance AWS data-privacy

R-THYM Security Whitepaper: Data Protection & Trust in Hydraulic Modeling

By Jason Lillywhite, PE May 23, 2026

R-THYM Security Whitepaper: Data Protection and Trust in Hydraulic Modeling

1. Executive Summary: Security-First Infrastructure Design

Modern water distribution systems, wastewater networks, and stormwater facilities form the backbone of public health and economic stability. As utilities undergo digital transformation, the software systems that simulate and optimize these critical assets must be held to the highest standard of security.

The R-THYM platform, developed by Lillywhite Water Solutions LLC, is a web-based hydraulic modeling and digital twin solution built with a security-first architecture. Tailored specifically for critical infrastructure operators, engineering consultants, and municipal utilities, R-THYM eliminates the vulnerability profiles associated with legacy desktop modeling software by centralizing and securing hydraulic simulations within a hardened cloud environment.

This whitepaper outlines the technical, administrative, and physical safeguards implemented to protect client-supplied simulation parameters, hydraulic network topologies, and digital twin configurations while maintaining compliance with emerging privacy and cybersecurity standards.

2. Data Architecture & Encryption

R-THYM implements strict separation of concerns between its user interface, calculation engines, and file storage layers to maintain the confidentiality and integrity of all client information.

2.1 Database Storage for R-THYM Projects

R-THYM's primary persistence layer is an encrypted relational database (PostgreSQL in production). When a user saves a project, the complete hydraulic model—including all node configurations, pipe network topology, pump curves, tank parameters, and electrical components—is serialized as a structured JSON document and written to the database via an authenticated API call.

R-THYM also supports importing and exporting standard EPANET .inp files and full model JSON files. These operations are performed entirely within the user's browser: .inp files are read from and written to the user's local device via the browser's native FileReader and Blob APIs and are never transmitted to the server. The server-side database record stores only the structured project JSON, not raw EPANET files.

  • Row-Level Ownership Enforcement: Every saved HydroProject record is bound to the authenticated user who created it. The application server enforces ownership checks on every read, update, and delete operation, preventing any horizontal access between accounts.
  • No Residual Simulation Data: Because hydraulic calculations execute client-side (see Section 4), the server stores only the user-defined configuration—not runtime outputs such as pressure heads, flow values, or energy results. These exist only in the browser's memory for the duration of the session.

2.2 Cloud Object Storage (Platform-Level)

The broader Lillywhite platform utilizes Amazon Web Services (AWS) Simple Storage Service (S3) for binary file storage where applicable (e.g., platform media). All S3 buckets are subject to the following controls:

  • Secure Subprocessor Status: AWS acts as our data subprocessor and is bound by a strict Data Processing Agreement (DPA) consistent with applicable data protection laws.
  • Private Access Controls: Storage buckets are configured with public access blocks (AWS_DEFAULT_ACL = 'private'), preventing any public read, write, or traversal of the storage hierarchy.

2.3 Authenticated Project Save API

R-THYM project saves do not involve file uploads. The client serializes the canvas state to JSON and submits it via an authenticated POST request to the Django application server over TLS. The server applies the following controls before writing to the database:

  • Session Authentication: All save endpoints require an active, authenticated session. Unauthenticated requests are rejected with HTTP 302 before reaching any data layer.
  • CSRF Protection: Every state-mutating request is validated against a per-session CSRF token (CSRF_COOKIE_SECURE = True), preventing cross-site request forgery.
  • Ownership Verification: The server binds the saved project to the requesting user's identity and rejects any attempt to write to a project owned by a different account.
  • Object Limits for Free Accounts: Free-tier accounts are server-side constrained to 20 total canvas objects and 2 saved projects, preventing storage abuse without relying on client-side enforcement.

2.4 Cryptography in Transit and at Rest

  • In Transit: All sessions, API traffic, and project saves are encrypted using TLS 1.3 (with TLS 1.2 as a legacy fallback). Administrative controls redirect all HTTP traffic to HTTPS (SECURE_SSL_REDIRECT = True). Database connections from the application server to PostgreSQL are enforced over SSL.
  • At Rest — Database: The production PostgreSQL database is hosted on Heroku Postgres, which encrypts all stored data at rest using AES-256 by default across all service tiers. This covers all saved R-THYM project data, user account records, and session information.
  • At Rest — Object Storage: S3 vaults utilize Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), applying the industry-standard AES-256 encryption algorithm to all stored files.

3. Data Handling & Privacy

Lillywhite Water Solutions LLC adheres to the principle of data minimization, ensuring we collect, process, and retain only the data necessary to provide high-fidelity modeling services.

3.1 Client-Side Computation & Structural Data Isolation

R-THYM's compute model provides a structural privacy guarantee that is stronger than any policy-based control: the server never receives simulation inputs or outputs. All hydraulic calculations—including EPANET steady-state analysis and Method of Characteristics transient modeling—execute entirely within the user's browser. Flow values, pressure heads, pump operating points, and energy metrics exist only in the browser's memory for the duration of the session and are discarded when the tab is closed or the simulation is reset.

  • What the server stores: Only the user-defined network configuration (node and link parameters, pump curves, tank geometry) submitted via the explicit "Save Project" action.
  • What the server never receives: Runtime simulation outputs—pressures, flows, velocities, water quality concentrations, or energy consumption results.

Note: Diagnostic session logging may be enabled on the server for troubleshooting purposes only if authorized in writing by the client and only for the duration of an active support ticket. Any such logs are permanently deleted upon ticket closure.

  • Saved Project Data: At the user's explicit request, R-THYM allows models to be saved within the user's account dashboard. For saved projects, the platform securely stores network topologies, node properties (e.g., elevations and base demands), and pump curves in the relational database solely to enable persistence, model versioning, and continuous collaboration.

3.2 Strict AI Model Restrictions

A primary concern for modern engineering firms is the unauthorized ingestion of proprietary designs by artificial intelligence models.

[!IMPORTANT] No AI Training on Client Data
We do not use client infrastructure, user-uploaded data, SCADA logs, network models, or any proprietary engineering variables to train generalized artificial intelligence models (such as Large Language Models or neural network solvers) unless explicitly authorized by the client in a separate, written instrument.

3.3 Deletion and Retention Policies

  • Consulting Intake Data: Business inquiry information (name, email address, project scope) is stored securely for communication, invoice processing, and expert-witness conflict checks, and is deleted no later than three (3) years following the end of the engagement.
  • Account and Saved Project Data: Saved model files are retained while the user's account is active. If a user deletes their R-THYM account, all saved models, project files, and personal data are permanently and irreversibly purged from our active systems within thirty (30) days, except where retention is strictly required to satisfy legal, tax, or financial reporting requirements.

4. Technical Workloads & Simulation Isolation

R-THYM utilizes a modern, decentralized digital twin architecture. Instead of routing active simulation tasks to shared backend servers, all hydraulic calculations are processed client-side within the user's browser. This provides complete computational isolation between users and eliminates backend exposure to runtime simulation data.

  • WebAssembly (WASM) Sandboxing: R-THYM executes both its steady-state hydraulic solver (epanet-js) and its transient solver (rthym-moc) directly in the browser using compiled WebAssembly. Because these calculations occur entirely within the browser's native WebAssembly sandbox, simulation runs are structurally isolated from other users' sessions and have no access to the underlying local operating system or network.
  • Local Thread Isolation & Concurrency (Web Workers): The high-fidelity rthym-moc WASM transient solver runs on a dedicated background thread via browser Web Workers (transientWorker.js). This prevents interface freezes during complex water hammer simulations while maintaining complete memory-safe isolation on the client machine.
  • Zero Backend Compute Footprint: Because simulations do not consume backend server CPU cycles, R-THYM is immune to server-side resource starvation attacks targeting the compute layer, and client model runtimes never overlap or share memory on cloud servers. The Django application server acts strictly as an authenticated storage manager for saving and retrieving project configurations.

5. Compliance & Standards

Lillywhite Water Solutions LLC has aligned its platform architecture with international and regional security standards to satisfy the compliance demands of enterprise customers.

5.1 SOC 2 Trust Services Criteria Alignment

R-THYM's controls are designed and mapped directly to the five trust services criteria established by the AICPA: 1. Security: Multi-factor authentication, perimeter firewalls, and production environment hardening. 2. Confidentiality: End-to-end data encryption, private S3 vaults, and strict access controls. 3. Availability: Decentralized execution that offloads simulation compute directly to the client browser, protecting the platform against server-side bottlenecks and ensuring continuous availability during traffic spikes. 4. Processing Integrity: In-memory execution validation, preventing corrupted inputs from executing. 5. Privacy: Alignment with GDPR principles, data minimization, and self-service data deletion.

5.2 Washington State Breach Notification Compliance (RCW 19.255.010)

As a Washington state entity, Lillywhite Water Solutions LLC maintains compliance with RCW 19.255.010: * Notification Window: In the event of a confirmed security breach affecting unencrypted personal or confidential infrastructure data, we will notify affected clients as promptly as practicable, and no later than 30 days after discovery of the breach. * State Reporting: If a security incident impacts more than 500 Washington residents, we will report the incident to the Washington State Attorney General's Office within the same 30-day window, as legally required. * Consumer Protection Act Ties: In compliance with RCW 19.373 (My Health My Data Act) and RCW 19.86 (Consumer Protection Act), we recognize that violations of privacy obligations constitute per se violations of the Consumer Protection Act, and we enforce rigid access policies to prevent any unauthorized disclosure.

6. Operational Security & Commitment

Our security posture relies on continuous optimization, strict operational protocols, and a clear roadmap for validation.

6.1 Multi-Factor Authentication (MFA / 2FA)

Administrative and user access is governed by strict identity controls. R-THYM enforces Multi-Factor Authentication (MFA) using Time-Based One-Time Password (TOTP) protocols (via the Django OTP stack). Admin logins and configuration consoles are restricted to authenticated, multi-factor verified developers.

6.2 Browser Hardening and Security Headers

R-THYM utilizes a robust set of security headers to mitigate cross-site scripting (XSS), clickjacking, and packet sniffing: * X-Frame-Options: DENY ensures the application cannot be loaded inside external iframes. * SECURE_CONTENT_TYPE_NOSNIFF = True blocks mime-type sniffing. * SECURE_BROWSER_XSS_FILTER = True enables browser-level XSS protections. * Secure cookie attributes (SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True) guarantee that session identifiers are never transmitted in cleartext.

6.3 Security Roadmap and Third-Party Audits

Lillywhite Water Solutions LLC is dedicated to a process of continuous validation. Our operational security roadmap includes: * Roadmap to SOC 2 Type I/II: We are preparing our internal policies and environment logs to support a formal third-party audit for SOC 2 Type I and subsequent Type II certifications. * Regular Penetration Testing: We plan to conduct annual third-party security audits and penetration tests on our platform APIs and database layers to identify and patch emerging vulnerability profiles.

For questions, security reports, or to coordinate a detailed vendor security assessment, please contact: jason@lillywhitewater.com.