What this page answers
- What is live today versus still in progress
- What changes between Tero-hosted and self-hosted deployments
- Where to go next for architecture, ownership, and evidence details
Current state (as of March 5, 2026)
| Topic | Current state |
|---|---|
| SOC 2 Type II | In progress (target: March 2026) |
| Encryption | Enabled in transit and at rest |
| Deployment models | Tero-hosted and self-hosted |
| AI provider options | Hosted default provider plus bring-your-own provider options |
We prioritize clear, auditable statements over marketing language. If a control is in progress, we mark it as in progress.
Start your review
Security Architecture
End-to-end request flow, trust boundaries, and control points.
Shared Responsibility
Ownership split by deployment model.
Reviewer Map
Questionnaire topic to page lookup.
Deployment boundary at a glance
| Area | Tero-hosted | Self-hosted |
|---|---|---|
| Control plane runtime | Operated by Tero | Operated by customer |
| Network perimeter | Managed by Tero baseline controls | Managed by customer |
| Data locality control | Tero-hosted region model | Customer-chosen region/infrastructure |
| AI provider path | Hosted default and configured options | Customer-controlled provider path |
| Infrastructure patching and operations | Tero | Customer |
Default hosted data scope
| Data class | Stored | Why |
|---|---|---|
| Account and workspace configuration | Yes | Service configuration and access control |
| Telemetry metadata (schemas, field types, volume patterns) | Yes | Catalog, analysis, and policy generation |
| Full raw telemetry content | No (default model) | Source of record remains your observability platform |
| Authentication metadata | Yes | Session and access control |
| Billing records (self-service) | Limited scope only | Billing operations |
What this means in practice
- Baseline integration does not require vendor-initiated inbound connectivity into your environment.
- Full raw telemetry is not the default hosted system-of-record data model.
- Control ownership shifts materially in self-hosted mode at the infrastructure and network layers.
Evidence path
| Topic | Public evidence | Additional evidence (on request) |
|---|---|---|
| Architecture and trust boundaries | Security Architecture | Architecture walkthrough and control notes |
| Responsibility split | Shared Responsibility | Deployment-specific control allocation review |
| Encryption controls | Encryption Standard | Platform control evidence and security review package |
| Subprocessors and data handling | Subprocessors and Third Parties | Subprocessor and data-flow detail under NDA |
| AI data handling options | AI Data Controls | Deployment-specific model and provider configuration review |
In progress
- SOC 2 Type II is in progress.
- Target issuance window: March 2026.
Request security artifacts
Email with your checklist, deployment model, and review timeline.