Security you can verify, not just trust

Enterprise-grade security built on AWS best practices and industry-standard authentication, authorization, and encryption compliances.

Authentication

Enterprise-grade identity management — no credentials stored

  • OAuth 2.0 (RFC 6749) with PKCE (RFC 7636) for secure, phishing-resistant authentication
  • OpenID Connect (OIDC) compliant identity provider — industry standard for federated identity
  • No passwords, secrets, or authentication credentials stored in Trigops databases
  • Backend callback pattern — tokens never exposed in browser URLs or client-side storage
  • Automatic token refresh with proactive rotation before expiry

Cloud Access & Delegation

AWS best practices for secure cross-account delegation

  • You deploy and approve an IAM role in your own AWS account via CloudFormation — full control in your hands
  • No access keys, secret keys, or long-lived credentials stored in our systems
  • Cross-account access uses temporary session credentials with short-lived tokens that expire automatically
  • A unique long identifier per organization is encrypted (AES-256) and stored in our infrastructure
  • All resource operations are orchestrated through automated workflows with a complete audit trail
  • Revoke access at any time by removing the CloudFormation stack — immediate termination

Authorization

Enterprise-grade access control with fine granularity

  • Relationship-based access control (ReBAC) engine for fine-grained authorization
  • Hybrid RBAC + ABAC model — roles control actions, scopes control resource visibility
  • 5 built-in roles (owner, administrator, operator levels, member) plus organization-defined custom roles
  • Per-member permission boundaries scoped by AWS account and region
  • Per-resource sharing with 3-tier hierarchy: viewer, editor, manager
  • Multi-tenant isolation — organizations never access each other's data

Data Protection & Privacy

Encrypted everywhere, minimal by design

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • All sensitive data — credentials, identifiers, configurations — encrypted at rest with dedicated keys
  • Multi-tenant data isolation at the database level — strict organizational boundaries
  • Presence detection uses OS-level idle APIs only — no keystroke logging, no screen capture, no clipboard access
  • Work tools detection reads application names only — no application content captured or transmitted
  • Heartbeat data: status + timestamp + device ID. Nothing more.

Compliance & Standards

Built on recognized industry standards

  • OAuth 2.0 (RFC 6749) and PKCE (RFC 7636) for authentication
  • OpenID Connect (OIDC) for federated identity management
  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • HTTPS everywhere — no unencrypted API or webhook traffic
  • RBAC, ABAC, and ReBAC authorization standards
  • CCPA and GDPR data subject rights supported
  • Regular security assessments and vulnerability monitoring

Built on recognized industry standards

OAuth 2.0PKCE (RFC 7636)OpenID ConnectTLS 1.2+AES-256RBAC / ReBACCCPAGDPR

Ready to see it in action?

Start with Builder and verify our security yourself.