Security
Encryption & Data Protection
| Control | Status | Implementation |
|---|---|---|
| Data encrypted in transit | Implemented | TLS 1.3 for all connections |
| Data encrypted at rest | Implemented | AES-256 for database, backups, and temporary storage |
| Encryption key management | Implemented | GCP KMS with automatic rotation |
| Database encryption | Implemented | PostgreSQL encrypted connections required, private IP only |
| Backup encryption | Implemented | AES-256, geo-redundant storage, 30-day retention |
Authentication & Access Control
| Control | Status | Implementation |
|---|---|---|
| Multi-factor authentication | Required | SSO via WorkOS with MFA enforcement |
| Single sign-on (SSO) | Supported | SAML 2.0, OpenID Connect |
| Role-based access control | Implemented | Least privilege, per-resource permissions |
| Session management | Implemented | 24-hour expiration, secure token storage |
| API key security | Implemented | Scoped permissions, rotation supported |
| Production access controls | Implemented | Time-limited, justification required, audit logged |
| Password requirements | Enforced | Minimum 12 characters, complexity requirements |
Infrastructure Security
| Control | Status | Implementation |
|---|---|---|
| Cloud provider | GCP | Google Cloud Platform, us-central1 region |
| Multi-zone deployment | Implemented | Automatic failover between availability zones |
| Network isolation | Implemented | Private VPC, restricted access |
| DDoS protection | Implemented | Cloud Armor with rate limiting |
| Container security | Implemented | Immutable infrastructure, automatic patching |
| Vulnerability scanning | Automated | Dependency checks, container image scanning |
| Infrastructure as code | Implemented | Version controlled, peer reviewed |
Monitoring & Incident Response
| Control | Status | Implementation |
|---|---|---|
| Security monitoring | Active | GCP Security Command Center, real-time alerts |
| Application monitoring | Implemented | Error tracking, performance monitoring |
| Audit logging | Implemented | Infrastructure and application changes logged |
| Failed authentication tracking | Implemented | Suspicious activity detection |
| Incident response plan | Documented | Response procedures, escalation paths |
| Vulnerability disclosure | Active | Responsible disclosure, 24-hour acknowledgment |
Application Security
| Control | Status | Implementation |
|---|---|---|
| Code review | Required | Peer review for all changes |
| Automated testing | Implemented | Tests required before deployment |
| Dependency scanning | Automated | Vulnerability alerts, prompt patching |
| Secrets management | Implemented | Doppler and GCP Secret Manager |
| Input validation | Implemented | All API endpoints validated |
| Rate limiting | Implemented | Per-endpoint and per-user limits |
| Security headers | Implemented | HSTS, CSP, X-Frame-Options |
Edge Security
| Control | Status | Implementation |
|---|---|---|
| Customer infrastructure | Your Control | Edge runs in your environment |
| Fail-open design | By Design | Never blocks observability data on error |
| Local rule processing | Implemented | No telemetry content sent to control plane |
| Encrypted communication | Implemented | TLS 1.3 for all control plane sync |
| Deployment flexibility | Supported | Sidecar, pipeline, or boundary deployment |
Self-Hosted Security
| Control | Status | Implementation |
|---|---|---|
| Self-hosted control plane | Available | Complete infrastructure control |
| Custom AI providers | Supported | Use your AWS Bedrock, Azure OpenAI, or other providers |
| Air-gapped deployment | Contact Us | Available for enterprise requirements |
| Network isolation | Your Control | Deploy within your security boundary |
Privacy
What We Collect
| Data Type | What We Collect | What We Don’t Collect |
|---|---|---|
| Account information | Name, email, company name | Government IDs, social security numbers |
| Authentication | SSO tokens, MFA settings | Passwords (handled by your SSO provider) |
| Telemetry metadata | Schemas, field types, volume patterns, quality classifications | Log content, metric values, trace data |
| Usage data | Features used, actions taken in the product | Individual browsing behavior |
| Billing information | Payment details via Stripe | Credit card numbers (stored by Stripe) |
Who We Share Data With
| Service | What We Share | Why |
|---|---|---|
| Google Cloud Platform | Control plane data, backups | Infrastructure hosting |
| Anthropic (default) | Telemetry samples, not persisted | AI classification |
| WorkOS | User email, authentication tokens | SSO and authentication |
| Stripe | Billing information (self-service only) | Payment processing for self-service customers |
| Self-hosted | Nothing (runs in your infrastructure) | Complete data control |
Your Rights
| Right | How to Exercise |
|---|---|
| Access your data | Email for JSON export |
| Correct your data | Update in account settings or email |
| Delete your data | Email (deleted within 30 days) |
| Export your data | Request machine-readable export |
| Object to processing | Email to discuss concerns |
| Restrict processing | Request limits on specific uses |
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | While your account is active |
| Telemetry metadata | While your workspace is active |
| Quality rules | While your workspace is active |
| Usage analytics | 2 years |
| Backups | 30 days, then permanently deleted |
Data Location
Tero-hosted: United States (GCP us-central1)Self-hosted: Your chosen region and infrastructure
Edge proxy: Always runs in your infrastructure
Privacy Practices
| Practice | Implementation |
|---|---|
| Data minimization | Store metadata only, not log content or metric values |
| Purpose limitation | Data used only for documented purposes |
| Privacy by design | Architecture built to minimize data collection |
| Transparency | Clear documentation of what we collect and why |
| User control | Progressive access model, self-hosted option available |
Compliance
Certifications & Audits
| Certification | Tero-Hosted Status | Self-Hosted Option |
|---|---|---|
| SOC 2 Type 2 | 2026 | Your certification applies |
| Penetration Testing | Q1 2025 | Include in your testing |
| GDPR | Compliant | Your infrastructure, your compliance |
| CCPA | Compliant | Your infrastructure, your compliance |
| HIPAA | Not Applicable | Your BAA applies |
Controls Implemented
| Control Area | Status | Details |
|---|---|---|
| Access Management | Implemented | RBAC, MFA required, least privilege, temporary access |
| Data Protection | Implemented | TLS 1.3, AES-256 encryption, GCP KMS, daily backups |
| Change Management | Implemented | Code review, staging tests, automated testing, rollback |
| Incident Response | Implemented | Documented plan, 24-hour notification, post-incident review |
| Vendor Management | Implemented | Risk assessment, documented flows, contractual requirements |
| Security Monitoring | Implemented | Threat detection, audit logs, vulnerability scanning |
| Employee Security | Implemented | Background checks, training, device management, access revocation |
Data Privacy
| Regulation | Status | Notes |
|---|---|---|
| GDPR | Compliant | DPA with SCCs available, data subject rights supported |
| CCPA | Compliant | No data sales, opt-out supported, processing records maintained |
| Data Residency | US-Central1 | GCP Iowa region (Tero-hosted), your choice (self-hosted) |