Security at TridentStack

As a security company, we hold ourselves to the highest standards. We understand that you're trusting us with access to your systems, and we take that responsibility seriously.

Our Security Principles

These principles guide every decision we make about how we build and operate our platform.

Defense in Depth

Multiple layers of security controls protect your data at every level, from network to application to data storage.

Least Privilege

Access to systems and data is restricted to the minimum necessary. Our agent requests only the permissions required for its functions.

Access by Consent

Our access to your tenant is yours to control. Disable vendor access in your privacy settings and TridentStack personnel are locked out unless you issue a time-limited access grant. Every access is logged.

Continuous Improvement

Security is not a destination. We continuously monitor, test, and improve our security posture.

Infrastructure Security

Our infrastructure is built with security as a foundational requirement, not an afterthought.

Hosting & Network

  • Dedicated CPU cloud servers hosted in the United States
  • Cloudflare WAF and DDoS mitigation in front of all public endpoints
  • Network segmentation between services; internal services are never reachable from the public internet
  • Agent connections terminate at a dedicated gateway, never directly at data stores

Access Controls

  • Administrative access only over a private zero-trust network, with multi-factor authentication
  • No public SSH exposure on any production system
  • Role-based access control for all systems
  • Least-privilege secrets: each service can read only the credentials it needs

Monitoring & Response

  • 24/7 infrastructure monitoring with on-call paging
  • Independent external uptime monitoring
  • Public status page with live component health
  • Documented incident response with postmortems for production issues

Data Protection

Your data is protected with industry-standard encryption and strict access controls throughout its lifecycle.

Encryption in Transit

All traffic between your endpoints, your browser, and our services is encrypted with TLS. Agent connections use TLS 1.2 or higher over gRPC and validate against a pinned certificate authority set.

Tenant Isolation

Every API request is scoped to your organization at the application layer. Requests for another tenant's resources return not-found responses by design, so resources cannot be discovered or enumerated across tenants.

Encrypted Backups

Automated database backups are stored offsite with a separate cloud provider and encrypted at rest with AES-256.

Data Retention

We retain your data only as long as necessary to provide services. Upon account termination, data is retained for 90 days for recovery purposes, then permanently deleted.

Your data is not for sale

We never sell customer data. Not to advertisers, not to data brokers, not to anyone, and we never will. Data in TridentStack Control exists for exactly one purpose: operating the service for you.

Agent Security

Our agent runs on your endpoints with the access it needs to manage updates and security. We've designed it with security as the top priority.

  • Signed binaries on every platform: Authenticode-signed on Windows, Developer ID-signed and notarized on macOS, GPG-signed packages on Linux
  • TLS 1.2 or higher with a pinned certificate authority set on the agent command channel
  • Credentials in OS-protected storage: Windows DPAPI, a dedicated macOS Keychain, and encrypted root-only files on Linux
  • Staged updates: agent releases are never pushed to the entire fleet at once. Every release deploys to TridentStack's own endpoints first, then rolls out to customer fleets in progressive stages, with automatic halt if agents fail to reconnect or report errors
  • Least privilege: the agent requests only the permissions required for its functions
  • Complete activity history: every action the agent takes is recorded and visible in your console

What the Agent Collects

Our agent collects only the information necessary to provide our services:

System inventoryRequired
Installed softwareRequired
Security configurationsRequired
Network portsRequired
Personal files or documentsNever
Passwords or credentialsNever
Browser history or cookiesNever

Application Security

Security is built into our development process from design through deployment.

Secure Development

  • Security-focused review for all changes
  • Automated dependency scanning with continuous remediation
  • CI gates: tests, migration safety checks, and build verification before anything ships
  • Every uploaded custom installer is security-scanned before it can be deployed

Identity & Access

  • Single sign-on with Microsoft and Google (OAuth 2.0 / OpenID Connect)
  • Passkeys (WebAuthn) and authenticator-app multi-factor authentication
  • Step-up re-authentication for sensitive operations
  • Role-based access control and scoped API keys
  • Instant fleet-wide session revocation on credential events

Responsible Disclosure

If you believe you have found a security vulnerability in TridentStack Control, we want to hear from you. Email [email protected] with a description of the issue, steps to reproduce, and the affected component or URL. We acknowledge reports within 2 business days.

We will not pursue legal action against researchers who act in good faith: avoid privacy violations and service disruption, do not access data that is not yours, and give us reasonable time to remediate before any public disclosure.

Machine-readable details: /.well-known/security.txt

Questions About Security?

Our team is happy to answer any questions about our security practices or discuss your specific requirements.