A compliance tool that takes its own security seriously.
We collect sensitive evidence about your infrastructure. We're not casual about how we protect it. Here's exactly what we do.
How we protect your evidence data.
Six practices we hold ourselves to — the same standard we help you demonstrate to your auditors. We are not SOC 2 certified yet; we're pursuing Type II certification. We will not claim certifications we don't hold.
Encryption at rest and in transit
All evidence data is encrypted at rest using AES-256. All data in transit uses TLS 1.2 or higher. Encryption keys are managed separately from data and rotated on a defined schedule.
Read-only integrations only
Tenurex never writes to your systems. Every integration is authorized with the minimum read-only scope required to collect the specific evidence your framework needs. We cannot modify your configurations.
Vulnerability management
We run automated vulnerability scans on our infrastructure on a weekly cadence. Critical findings are addressed within 72 hours. We use a third-party for annual penetration testing.
Access reviews and offboarding
We conduct quarterly access reviews of all internal system access. Access is revoked within 24 hours of employee offboarding. We use MFA on all internal systems — the same control we help you evidence.
Credential management
OAuth tokens and API keys are stored in an encrypted secrets vault with audit logging. Credentials are never stored in environment variables or flat configuration files. Rotation is supported and encouraged.
Incident response
We maintain a documented incident response plan with defined roles and response timelines. Any security incident affecting customer data is disclosed within 72 hours of identification. Contact us at [email protected].
Architecture designed with least-privilege access.
Collection workers are isolated, short-lived processes — read-only scope, no persistent network connections, customer data logically isolated at the storage layer. We request only the API scopes required to collect the specific evidence your framework needs, and nothing broader.
Evidence collection pipeline
Our collection workers are isolated, short-lived processes. They authenticate against your integration with the stored read-only credential, query the specific evidence required, write it to the evidence store, and terminate. No long-lived sessions. No persistent network connections to your infrastructure.
Each collection worker can only read from the specific integration it was invoked for. Workers cannot access evidence from other customers or other integrations within the same account.
- Isolated per-integration, per-collection-run workers
- No persistent connections to customer infrastructure
- Customer data is logically isolated at the storage layer
- All API calls logged and auditable
Data flow — evidence collection
Security questions? Reach us directly.
If you have questions about our security posture, want to report a vulnerability, or need our security documentation for a vendor review — email us.
We respond to security inquiries within 1 business day.