Security at TridentStack
As a security company, we hold ourselves to the highest standards. We understand that you're trusting us with access to your systems, and we take that responsibility seriously.
Our Security Principles
These principles guide every decision we make about how we build and operate our platform.
Defense in Depth
Multiple layers of security controls protect your data at every level, from network to application to data storage.
Least Privilege
Access to systems and data is restricted to the minimum necessary. Our agent requests only the permissions required for its functions.
Access by Consent
Our access to your tenant is yours to control. Disable vendor access in your privacy settings and TridentStack personnel are locked out unless you issue a time-limited access grant. Every access is logged.
Continuous Improvement
Security is not a destination. We continuously monitor, test, and improve our security posture.
Infrastructure Security
Our infrastructure is built with security as a foundational requirement, not an afterthought.
Hosting & Network
- Dedicated CPU cloud servers hosted in the United States
- Cloudflare WAF and DDoS mitigation in front of all public endpoints
- Network segmentation between services; internal services are never reachable from the public internet
- Agent connections terminate at a dedicated gateway, never directly at data stores
Access Controls
- Administrative access only over a private zero-trust network, with multi-factor authentication
- No public SSH exposure on any production system
- Role-based access control for all systems
- Least-privilege secrets: each service can read only the credentials it needs
Monitoring & Response
- 24/7 infrastructure monitoring with on-call paging
- Independent external uptime monitoring
- Public status page with live component health
- Documented incident response with postmortems for production issues
Data Protection
Your data is protected with industry-standard encryption and strict access controls throughout its lifecycle.
Encryption in Transit
All traffic between your endpoints, your browser, and our services is encrypted with TLS. Agent connections use TLS 1.2 or higher over gRPC and validate against a pinned certificate authority set.
Tenant Isolation
Every API request is scoped to your organization at the application layer. Requests for another tenant's resources return not-found responses by design, so resources cannot be discovered or enumerated across tenants.
Encrypted Backups
Automated database backups are stored offsite with a separate cloud provider and encrypted at rest with AES-256.
Data Retention
We retain your data only as long as necessary to provide services. Upon account termination, data is retained for 90 days for recovery purposes, then permanently deleted.
Your data is not for sale
We never sell customer data. Not to advertisers, not to data brokers, not to anyone, and we never will. Data in TridentStack Control exists for exactly one purpose: operating the service for you.
Agent Security
Our agent runs on your endpoints with the access it needs to manage updates and security. We've designed it with security as the top priority.
- Signed binaries on every platform: Authenticode-signed on Windows, Developer ID-signed and notarized on macOS, GPG-signed packages on Linux
- TLS 1.2 or higher with a pinned certificate authority set on the agent command channel
- Credentials in OS-protected storage: Windows DPAPI, a dedicated macOS Keychain, and encrypted root-only files on Linux
- Staged updates: agent releases are never pushed to the entire fleet at once. Every release deploys to TridentStack's own endpoints first, then rolls out to customer fleets in progressive stages, with automatic halt if agents fail to reconnect or report errors
- Least privilege: the agent requests only the permissions required for its functions
- Complete activity history: every action the agent takes is recorded and visible in your console
What the Agent Collects
Our agent collects only the information necessary to provide our services:
Application Security
Security is built into our development process from design through deployment.
Secure Development
- Security-focused review for all changes
- Automated dependency scanning with continuous remediation
- CI gates: tests, migration safety checks, and build verification before anything ships
- Every uploaded custom installer is security-scanned before it can be deployed
Identity & Access
- Single sign-on with Microsoft and Google (OAuth 2.0 / OpenID Connect)
- Passkeys (WebAuthn) and authenticator-app multi-factor authentication
- Step-up re-authentication for sensitive operations
- Role-based access control and scoped API keys
- Instant fleet-wide session revocation on credential events
Responsible Disclosure
If you believe you have found a security vulnerability in TridentStack Control, we want to hear from you. Email [email protected] with a description of the issue, steps to reproduce, and the affected component or URL. We acknowledge reports within 2 business days.
We will not pursue legal action against researchers who act in good faith: avoid privacy violations and service disruption, do not access data that is not yours, and give us reasonable time to remediate before any public disclosure.
Machine-readable details: /.well-known/security.txt
Questions About Security?
Our team is happy to answer any questions about our security practices or discuss your specific requirements.