Security at ConductorOne
At ConductorOne, our team is composed of long-time experts in security, identity, and infrastructure, who have built products from the ground up with highly secure environments.
We understand that our own security and privacy practices are mission-critical to our ability to provide modern privileged access and governance for our customers.
Employee Access
Internal systems use SSO and multi-factor authentication whenever possible
Secure password vaults are used for storing credentials when SSO is not supported by a system
Customer API Keys or secrets are not accessible from any internal tooling or dashboards
Background checks are performed annually for all employees
Security training is provided annually for all employees
Network
Employees do not have access to production servers (we only use AWS EKS Managed Node Groups with no remote access)
No workstations have network access to staging or production environments
WiFi in offices provides no additional permissions or authorization grants
Data & Infrastructure
Tenant isolation is ensured through decryption controls within tenant boundaries
Traffic to ConductorOne is encrypted using TLS 1.2 and greater
API keys and secrets are encrypted with AWS KMS symmetric keys and encrypted again at rest in storage
Internal services and traffic use mutual TLS
Objects are stored and encrypted at rest in AWS DynamoDB
Internet-facing API services are unable to decrypt data
Explicit firewall rules govern all service communications
Services employ highly specific security groups, managed in code
Service Availability
Our infrastructure is deployed across multiple availability zones (US West2 and US East2)
Disaster recovery dry-runs performed annually
Data in our object store (DynamoDB) is backed up continuously
Data is replicated across AWS regions
High Level Architecture
