Security at ConductorOne
At ConductorOne, our team is composed of long-time experts in security, identity, and infrastructure, who have built products from the ground up with highly secure environments.
We understand that our own security and privacy practices are mission-critical to our ability to provide modern privileged access and governance for our customers.
Employee Access
-
Internal systems use SSO and multi-factor authentication whenever possible
-
Secure password vaults are used for storing credentials when SSO is not supported by a system
-
Customer API Keys or secrets are not accessible from any internal tooling or dashboards
-
Background checks are performed annually for all employees
-
Security training is provided annually for all employees
Network
-
Employees do not have access to production servers (we only use AWS EKS Managed Node Groups with no remote access)
-
No workstations have network access to staging or production environments
-
WiFi in offices provides no additional permissions or authorization grants
Data & Infrastructure
-
Tenant isolation is ensured through decryption controls within tenant boundaries
-
Traffic to ConductorOne is encrypted using TLS 1.2 and greater
-
API keys and secrets are encrypted with AWS KMS symmetric keys and encrypted again at rest in storage
-
Internal services and traffic use mutual TLS
-
Objects are stored and encrypted at rest in AWS DynamoDB
-
Internet-facing API services are unable to decrypt data
-
Explicit firewall rules govern all service communications
-
Services employ highly specific security groups, managed in code
Service Availability
-
Our infrastructure is deployed across multiple availability zones (US West2 and US East2)
-
Disaster recovery dry-runs performed annually
-
Data in our object store (DynamoDB) is backed up continuously
-
Data is replicated across AWS regions
High Level Architecture
