Get the Identity Security Outlook Report

Security at ConductorOne

At ConductorOne, our team is composed of long-time experts in security, identity, and infrastructure, who have built products from the ground up with highly secure environments.

We understand that our own security and privacy practices are mission-critical to our ability to provide modern privileged access and governance for our customers.


Employee Access

  • Internal systems use SSO and multi-factor authentication whenever possible

  • Secure password vaults are used for storing credentials when SSO is not supported by a system

  • Customer API Keys or secrets are not accessible from any internal tooling or dashboards

  • Background checks are performed annually for all employees

  • Security training is provided annually for all employees


  • Employees do not have access to production servers (we only use AWS EKS Managed Node Groups with no remote access)

  • No workstations have network access to staging or production environments

  • WiFi in offices provides no additional permissions or authorization grants

Data & Infrastructure

  • Tenant isolation is ensured through decryption controls within tenant boundaries

  • Traffic to ConductorOne is encrypted using TLS 1.2 and greater

  • API keys and secrets are encrypted with AWS KMS symmetric keys and encrypted again at rest in storage

  • Internal services and traffic use mutual TLS

  • Objects are stored and encrypted at rest in AWS DynamoDB

  • Internet-facing API services are unable to decrypt data

  • Explicit firewall rules govern all service communications

  • Services employ highly specific security groups, managed in code

Service Availability

  • Our infrastructure is deployed across multiple availability zones (US West2 and US East2)

  • Disaster recovery dry-runs performed annually

  • Data in our object store (DynamoDB) is backed up continuously

  • Data is replicated across AWS regions

High Level Architecture


Contact our Security team