Security overview

Built for the vendor-security review

Request security questionnaire responses

SOC 2 posture

Our controls are mapped to the SOC 2 Trust Services Criteria — access control, change management, logging, data segregation, and availability. We will pursue a SOC 2 Type I report when our first enterprise customer requires it. Security questionnaires available on request.

Source-available

Self-hosted customers receive full access to the Tektite source code, so your security team can audit the implementation directly — a concrete trust differentiator against closed-source competitors. Source-available, under a commercial license; not an open-source project.

Encryption

In transit and at rest, across managed and self-hosted.

  • AES-256 encryption for data at rest on managed hosting.
  • TLS 1.2+ for all client-server and service-to-service traffic.
  • Customer-managed KMS keys available on request for regulated deployments.

Per-tenant isolation

Separate AWS accounts, not separate database rows.

  • Each managed customer is provisioned into a dedicated, isolated AWS account.
  • Separate database, separate compute, separate network, separate monitoring.
  • No shared multi-tenant database to leak across tenants on a query bug.
  • Self-hosted customers run inside their own perimeter, full stop — no calls home.

Audit logging and export

Every security-relevant action, logged and SIEM-ready.

  • Logs cover logins, role changes, file access, provisioning events, and admin actions.
  • Request-scoped JSON logs with request IDs, status codes, and latency on every request.
  • Export to CSV or JSONL for ingestion into Splunk, Datadog, Elastic, or your SIEM of choice.
  • Retention tunable to your compliance requirements on managed hosting.

Identity and access

Bring your IdP; we enforce what it tells us.

  • Standards-based SSO over OIDC and SAML 2.0 — Okta, Azure AD, Google Workspace, Keycloak, and anything else standards-compliant.
  • SCIM 2.0 provisioning for automated user lifecycle and group sync.
  • SSO-only mode disables local password accounts entirely.
  • Three-tier per-folder roles (Owner, Editor, Viewer), enforced server-side.
  • Directory-group mapping so access is managed in your IdP, not in our UI.

Privacy and data rights

GDPR and CCPA endpoints built into the product.

  • Programmatic data-export endpoint for subject-access requests.
  • Programmatic PII-erasure endpoint for right-to-deletion requests.
  • Data residency honored by the AWS region your tenant is provisioned in; self-hosted runs wherever you run it.

Threat detection and rate limiting

Continuous monitoring and per-endpoint limits.

  • Continuous threat detection across all managed tenants via AWS GuardDuty.
  • Per-endpoint rate limits on login, invite creation, SCIM calls, and provisioning to resist abuse and automated attacks.
  • Per-tenant operational alarms across 5xx rate, latency, CPU, storage, connections, and task health.

Session and device management

Visibility into who is signed in, and the ability to cut it off.

  • Admins see active sessions per user, including IP and device.
  • Force sign-out of any user or any individual session.
  • IdP-driven session revocation when a user is removed upstream.

Deprovisioning

When someone leaves, they leave — automatically.

  • Removal from your IdP deactivates the Tektite account immediately via SCIM.
  • Active sessions are revoked; the user cannot continue editing shared content.
  • Seat is freed the same moment, not on a monthly reconciliation.
  • Full user lifecycle is logged in the audit trail.

Still have questions?

We're happy to walk through architecture, share pre-filled questionnaire responses, or set up a call with your security team.

Contact Sales