Trust, Verified

A security company that doesn't publish its own security posture isn't one.

Architecture

Security by Design

Zero-Knowledge Design

We never access, store, or process your data. Policy decisions happen locally or in isolated tenant environments. Tiresias sees threats - never data.

Encryption

TLS 1.3 for all data in transit. AES-256 encryption for all data at rest. No exceptions, no fallbacks.

Authentication

ES256 JWT capability tokens with short-lived expiry, cryptographic signature verification, and automatic key rotation.

Infrastructure Isolation

Isolated tenant environments with row-level security. Each tenant operates in a cryptographically separated context with no cross-tenant data access.

Compliance

Compliance Goals

Our architecture is built with compliance in mind from day one. Formal certifications are on our roadmap as the platform matures.

GDPR Compliance

Active

Privacy Policy, DPA, Article 30 Register

SOC 2 Type I

In Progress

Security & Availability — targeted Q3 2026

SOC 2 Type II

Planned

Sustained Compliance — targeted Q1 2027

ISO 27001

Planned

Information Security Management — targeted Q3 2026

Practices

How We Operate

Immutable Audit Logging

Every policy decision, token issuance, and agent action is logged to an append-only audit trail. Logs cannot be modified or deleted - even by us.

Automated Anomaly Detection

Behavioral analysis powered by Sigma detection rules continuously monitors agent activity for deviations from established baselines.

Policy-as-Code

All security policies are version-controlled, auditable, and deployed through CI/CD. No manual configuration, no drift, no surprises.

Least Privilege at Every Layer

The principle of least privilege is enforced at every layer - from agent tokens to infrastructure access to internal operations.

Data Governance

Data Processing

Data Processing Agreement

Enterprise customers receive a comprehensive DPA covering GDPR, CCPA, and other applicable privacy frameworks. Available upon request for evaluation.

Data Residency

Customer-controlled data residency. Choose where your policy evaluations and audit logs reside. On-premise deployment available for Enterprise tier.

Sub-processors

We maintain a minimal sub-processor list, published and versioned. Each sub-processor is documented with its purpose and data scope. Customers are notified of changes.

Data Retention

Configurable per tenant. Set retention policies for audit logs, token history, and policy evaluation records. Default retention aligns with industry best practices.

Vulnerability Reporting

Responsible Disclosure

We take security reports seriously and respond within 24 hours. If you believe you have discovered a vulnerability in Tiresias, we encourage you to report it responsibly.

Email your findings to security@saluca.com
Include detailed reproduction steps and potential impact assessment
Allow reasonable time for remediation before public disclosure
Do not access or modify data belonging to other users or tenants

We commit to acknowledging reports within 24 hours and providing a detailed response within 72 hours. We will not pursue legal action against researchers who follow these guidelines.

Questions about our security posture?

We're happy to discuss our architecture, compliance plans, or share additional documentation under NDA.

Contact Security TeamView Pricing