Security

Built like a vault. Audited like one.

Every detection, every key, every byte — protected by the same engineering discipline we sell our customers.

Live coverage

MITRE ATT&CK — verifiable, published, per-detector.

Most vendors publish a number. We publish the detector. Click any technique, read the YAML.

View live matrix

Our security posture.

Encryption everywhere

AES-256 at rest · TLS 1.3 in transit · hash-chained agent buffer · cert-pinned uploads.

BYO LLM key

Your Anthropic or OpenAI key never leaves your vault. We never see customer prompts.

Per-org isolation

Multi-tenant by design. Every query scoped to organization_id. Zero cross-tenant leakage.

Audit-grade evidence

Every detection, every mitigation, every approval — immutable trail with PDF compliance packs.

Privacy by default

Metadata-only mode available. Personal-domain redaction. User-consent capture flows.

Public bug bounty

Find a vulnerability, get paid. Detailed scope and rewards on our bounty page.

Authentication & access.

Primary authentication is delegated to WorkOS, a SOC 2 Type II certified identity provider. ShieldMind never stores customer passwords.

Single Sign-On

SAML 2.0 and OIDC. Okta, Azure AD, Google Workspace, Ping, OneLogin, JumpCloud, Duo, Auth0, and every other major IdP. Self-serve setup via WorkOS Admin Portal.

MFA everywhere

TOTP, WebAuthn / passkeys, hardware FIDO2 keys, SMS. Enforceable per-role or per-org. Required by default for super_admin.

SCIM Directory Sync

Auto-provision and auto-deprovision in under 60 seconds. Group-to-role mapping. SOC 2-friendly audit trail on every change.

Session control

Sealed AES-256-GCM session cookies. Per-org timeout. Active session list with one-click revoke. Sign out everywhere.

Detailed answers — every standard enterprise auth question — in our AUTH_SECURITY response document (available under NDA).

Encryption.

In transitTLS 1.3 preferred, TLS 1.2 minimum. HSTS preloaded. Modern AEAD-only cipher suites. ECDSA P-256 certs rotated every 90 days.

At restAES-256 on every database and object store. Provider-managed KMS today; BYOK (customer-managed keys) on the Q2 2027 roadmap.

SessionsSealed session cookies use AES-256-GCM with quarterly key rotation. HttpOnly, Secure, SameSite=Lax.

SignaturesHMAC-SHA256 for webhook verification, Ed25519 for sensitive internal payloads. Signing keys live in HashiCorp Vault.

Compliance.

SOC 2 (inherited)

Authentication, SSO, MFA, and directory sync run inside WorkOS — SOC 2 Type II certified. Report available under NDA.

SOC 2 (ShieldMind)

Type I attestation targeted Q4 2026. Type II 12 months after. Detection, storage, and dashboard layers in scope.

HIPAA-eligible

BAA available via WorkOS for the auth subsystem. ShieldMind BAA covers detection and storage on request.

GDPR + CCPA

EU SCCs available. DSR support (export, erasure) built into super_admin tools. EU and India data residency on request.

Sub-processors.

We notify security contacts 30 days before any change. Full DPA on request.

WorkOSAuthentication, SSO, SCIM, MFAUS / EU / India / UK (per customer)

AWSApplication + data hostingPer customer residency

SupabaseOperational databaseUS-East / EU-Central

CloudflareDDoS, WAF, CDNGlobal edge

SentryError reporting (no PII)US

RazorpayBillingIndia

Bug bounty.

We pay researchers. Disclose responsibly via bd@dtrasglobal.com with PGP-encrypted writeup.

CriticalRCE, auth bypass, cross-tenant data access$5,000 – $25,000

HighPrivilege escalation, sensitive data exposure$1,500 – $5,000

MediumCSRF, stored XSS, info disclosure$500 – $1,500

LowReflected XSS, rate-limit bypass$100 – $500

Responsible disclosure.

Found something? Email bd@dtrasglobal.com. We acknowledge within one business day, fix critical issues within 30 days, and credit researchers (with consent) in our changelog.

Acknowledge

1 business day

Critical fix

30 days

Breach notice

72 hours

Report a vulnerability.

bd@dtrasglobal.com · PGP key on request

Disclose