Skip to content
Legal

Security

Effective: 2026-05-01

DRAFT — REQUIRES LEGAL REVIEW. This document is a working draft and must be reviewed by qualified counsel before publication.

This page summarizes Talarity's security commitments. For program-level detail, see our Trust Center.

1. Encryption

All data in transit is protected with TLS 1.3. Data at rest is encrypted with AES-256. Customer-managed keys are available on Enterprise contracts.

2. Authentication

SSO via SAML 2.0 and OIDC. SCIM 2.0 user provisioning. Optional or enforced TOTP-based MFA. App Check on every callable endpoint.

3. Access control

Role-based access control with three-layer enforcement (route registry, dispatcher, handler). Org-group-based feature gating. Least-privilege defaults.

4. Audit logging

60+ event types are captured in immutable, hash-chained audit logs. Logs are exportable via UI and API.

5. Vulnerability management

Regular vulnerability scanning, patch management on a defined SLA, and annual third-party penetration testing.

6. Incident response

Documented incident-response procedures with defined roles, escalation paths, and customer-notification commitments. Material incidents are reported to affected customers within applicable regulatory windows.

7. Vendor management

Sub-processors are vetted, contracted with appropriate DPAs, and listed publicly at /legal/sub-processors.

8. Reporting a vulnerability

We run a coordinated vulnerability disclosure program with safe-harbor protection for good-faith research. Testing is scoped to our development environment. Submit through our vulnerability report form (anonymous reporting supported) or email security@talarity.com. We acknowledge promptly and resolve high-severity issues within a published SLA. See our Responsible Disclosure Program for scope, safe-harbor terms, and our disclosure timeline.