TATER Security Trust Center — Vendor Trust Statement

Data residency & encryption

Hosting region

Microsoft Azure, East US 2 (commercial). Federal / GCC High deployment available on customer-dedicated infrastructure on request.

Database

Azure Cosmos DB (SQL API), partitioned per tenant. Each customer's data lives under tenantId partition isolation, enforced server-side at every query.

Encryption at rest

AES-256-GCM field-level encryption for credentials, API keys, OAuth tokens, and SMTP/Graph secrets. Cosmos DB transparent data encryption (TDE) on top.

Encryption in transit

TLS 1.2+ on every endpoint. Strict-Transport-Security with max-age=31536000; includeSubDomains.

Key management

Azure Key Vault for X.509 certificates and HSM-backed master keys. Per-process secrets via Azure Functions Configuration. Endpoint agent uses Windows DPAPI (Local Machine scope) to encrypt the agent config.

JWT validation

RS256 signing keys fetched from https://login.microsoftonline.com/common/discovery/v2.0/keys. Audience whitelist + tenant-scoped membership lookup. Local-auth path uses HS256.

API key storage

SHA-256 hashed at rest. Only the prefix is ever returned to the user; full keys are shown once at creation and never again.

Backups

Cosmos DB Continuous backup tier (7 days) with self-service point-in-time restore via Azure Portal/CLI. SuperAdmin can restore without a Microsoft support ticket.

AI safety posture

The AI Compliance Analyst, Evidence Agent, and 75-tool MCP server are powered by Anthropic Claude exclusively. We do not use OpenAI, Google Gemini, or any other foundation model.

What we don't do

No training on customer data. Anthropic's commercial terms exclude API traffic from model training. We do not log prompts/responses to any third-party service beyond Anthropic's standard inference path.
No cross-tenant prompt context. Every AI invocation is scoped to a single tenant; the MCP server enforces tenantId on every Cosmos query.
No silent writes. Tools that change tenant state (create_risk_acceptance, execute_script, trigger_remediation, upsert_config_doc) require Admin role and are blocked for unverified MCP API key sessions until identity is verified via email-code.

What you control

BYOK (Bring Your Own Key) — supply your own Anthropic API key per organization. Encrypted at rest with AES-256-GCM. AI features off by default; toggle from Settings → Features.
Channel attribution — every AI-driven write is tagged in the audit log with via: copilot, claude, mcp, web, agent, or api. Filter Activity Log to see exactly what an AI agent did.
Audit log integrity — set the AUDIT_SIGNING_KEY environment variable to enable HMAC-SHA256 per-entry signatures (CLAUDE.md §12ad). Verify offline with any HMAC tool.

Certifications & attestations

SOC 2 Type II

In progress Target completion: Q4 2026. Auditor: TBD. We use TATER itself for the readiness assessment (the platform is its own first audit customer).

ISO 27001

Roadmap Targeted for 2027 once SOC 2 Type II is established.

FedRAMP / StateRAMP

Roadmap Federal/DoD pipeline (POAM, RMF, SSP, STIG import) is shipped today; FedRAMP Moderate authorization for the platform itself targeted 2027–28.

HIPAA

Supported via BAA Available on enterprise plans with executed Business Associate Agreement.

Penetration tests

Planned Annual third-party penetration test on the roadmap; first engagement targeted alongside SOC 2 readiness. Request status via security@tatersecurity.com.

Full attestation evidence is shared under NDA during procurement. We do not publish auditor reports publicly.

Subprocessors

We use the minimum number of third-party services required to deliver the platform. Each subprocessor is contractually bound to confidentiality and security commitments comparable to ours.

Microsoft Azure

Hosting (Azure Functions, Cosmos DB, Static Web Apps, Automation, Key Vault, DNS). Sub-region: East US 2.

Microsoft Entra ID

Authentication (RS256 JWT, MSAL.js).

Anthropic (Claude API)

AI Compliance Analyst, Evidence Agent, MCP server inference. Used only when AI features are enabled per org. Customer can supply their own key (BYOK).

Cloudflare

Optional speed test target (we self-host primary speed test files; Cloudflare is a fallback only).

Subscribe to subprocessor change notices via trust@tatersecurity.com. We provide 30 days advance notice before adding a new subprocessor that processes customer data.

Endpoint agent integrity

SHA256 verification — every agent binary released is hashed at build time and the SHA256 is published via GET /api/agent/version (no auth required). The agent self-verifies updates against this hash before installing.
Windows MSI — distributed via the same SHA256-verified channel as the binaries. Authenticode signing is on the roadmap; SHA256 verification of every binary is current.
Single static binary on Windows / Linux (CGO-free, Go 1.26+) — no DLLs, no runtime dependency on a separate .NET or PowerShell module installer.
Encrypted local config — DPAPI on Windows (CurrentUser scope), 0600 file perms with optional encryption on Linux/macOS.
SBOM on request — software bill of materials for the Go agent and API can be generated on request via CycloneDX. Email security@tatersecurity.com.
Phase 2 remote control — every WebRTC session requires explicit end-user consent on the endpoint (PE-3, 30-second fail-closed dialog). Capabilities (input injection, clipboard, recording) are individually toggleable; off by default at every level. Session recording (AU-14) is opt-in, encrypted at rest, 30-day TTL.

Audit log integrity

Every create/update/delete on every TATER entity fires an AuditLog entry with: actor (UPN, OID), action, entity type, entity ID, timestamp (millisecond resolution), and channel (via: web/mcp/copilot/claude/agent/api/cron).
Tamper-evident — set AUDIT_SIGNING_KEY env var to enable HMAC-SHA256 per-entry signatures. Canonical payload: id|tenantId|action|entityType|entityId|userId|timestamp. Verify with openssl dgst -sha256 -hmac KEY.
SIEM forwarding — syslog (RFC 5424 CEF format) or HMAC-signed webhook (X-TATER-Signature: sha256=...). Compatible with Sentinel, QRadar, ArcSight, Splunk, Datadog, Sumo Logic, and more.
CEF injection defense — pipe, backslash, and newline characters in user-supplied audit fields are escaped before CEF construction.

API security & access control

Defense in depth — every write endpoint requires Admin role, every cross-org operation requires SuperAdmin, every API request is rate-limited (general: 100/min, write: 60/min, settings: 120/min, auth: 10/min). Per-IP and per-tenant buckets.
IDOR protection — every PUT/DELETE handler verifies record ownership against the caller's organizationId before acting. Unbound API keys cannot use x-organization-id header to escalate scope (CLAUDE.md §12bp/§12bq).
Cross-partition queries — explicit { forceQueryPlan: true } on every cross-partition Cosmos query so the SDK fans out across all tenants instead of silently routing to a single partition.
SSRF prevention — every webhook destination is validated against an allowlist of public IPs; localhost, link-local, ULA, and private ranges are blocked by urlValidation.ts.
CSP — strict Content Security Policy with frame-ancestors 'none', object-src 'none'. script-src limited to self + alcdn + jsdelivr + unpkg (MSAL CDN fallback chain).

Vulnerability disclosure

Security researchers and customers can report potential vulnerabilities to security@tatersecurity.com. We acknowledge within 1 business day and aim to triage within 5 business days.

Safe harbor — good-faith research is welcome. Please do not run automated scans against our production infrastructure without coordination; reach out first.
Severity tiers — Critical/High vulnerabilities receive a same-day acknowledgment and we work to a fix within 7 days. Medium within 30 days. Low at our discretion.
Disclosure — coordinated disclosure preferred. Public advisories are issued after a fix is deployed; we credit researchers (with permission) in the advisory.
No bug bounty at this time, but we send TATER swag and named credit for valid reports.

SLA & uptime

Target uptime

99.9% monthly for the API and customer-facing app SWA.

RTO

4 hours for the platform; sub-hour for individual tenant data via Cosmos point-in-time restore.

RPO

5 minutes (Cosmos DB continuous backup).

Status page

In progress — will publish at status.tatersecurity.com. Subscribe via the trust mailing list.

Maintenance windows

Communicated 7 days in advance via email and the in-app banner.

Data handling & retention

What we collect — only what is needed to provide the service: scan results (compliance posture), control catalog (mostly default + per-org overlays), audit log entries, optional configuration documentation authored by the customer.
What we don't collect — file contents from scanned endpoints, user passwords (Entra ID handles auth; we never see credentials), browsing history, application telemetry beyond the explicit pageview beacon (90-day TTL, opt-out via browser DNT or cookie).
Retention — audit log entries: indefinite by default, configurable. Telemetry: 90 days. Session recordings (Phase 2 remote control): 30 days. Evidence agent jobs: 30 days. Customer can request deletion at any time.
Deletion — within 30 days of contract termination we hard-delete tenant data from primary storage. Backups age out within the 7-day continuous backup window after the primary delete.
Data export — every container is exportable via API; CSV/JSON download from each module page. POAM exports OMB A-130 / DoD eMASS .xlsx; SSP exports OSCAL JSON or Word .docx.

Contact

Security disclosures

security@tatersecurity.com

Trust / subprocessor notices

trust@tatersecurity.com

Data subject requests (GDPR / CCPA)

privacy@tatersecurity.com

Sales / contract review

Sales page or sales@tatersecurity.com

This page is a public statement. Customer-specific compliance dashboards live at /trust-center.html?orgId=... (per-tenant, requires URL token).