TerraBogSecurity & Compliance

Trust Center

Security, Privacy, and
Reliability by Design

TerraBog is built with enterprise-grade security controls to protect your data, ensure compliance, and maintain operational reliability. This page describes our security posture in full.

SOC 2 Type II
GDPR Compliant
ISO 27001 Pending
DPA Available
AES-256 Encrypted
TLS 1.3+

Last reviewed: February 2026 · Questions? security@terrabog.com

Jump toSecurity PrinciplesCompliance & StandardsData ProtectionInfrastructureAccess & IdentityIncident Response

Security Principles

How we protect your data

TerraBog's security architecture follows a defense-in-depth model with multiple independent controls at every layer.

Data Encryption In Transit and At Rest

All customer data is encrypted at rest using AES-256-GCM and in transit using TLS 1.3+. Encryption keys are managed through AWS KMS with FIPS 140-2 Level 2 validated hardware security modules. Keys are rotated on a 90-day schedule.

AES-256-GCM · TLS 1.3+ · AWS KMS

Role-Based Access Control

Every resource in TerraBog enforces granular, role-based permissions. Users receive the minimum access required for their function. Privilege escalation requires manager approval and is automatically logged. Access reviews run quarterly.

4 Permission Levels · Quarterly Reviews

Infrastructure Isolation

Customer data is logically isolated at the database and storage layer using dedicated schemas and scoped credentials. Strict VPC segmentation prevents cross-tenant access. Production environments are fully isolated from staging and development.

Logical Isolation · VPC Segmentation

Continuous Monitoring

All production systems are monitored 24/7 for anomalous behavior, unauthorized access attempts, and performance degradation. Automated alerting routes to the on-call security engineer within five minutes of anomaly detection.

24/7 SOC · < 5 min alert latency

Audit Logging

Every user action, API call, and administrative operation is recorded in append-only, tamper-evident audit logs. Logs are retained for 12 months and are exportable by Enterprise customers for SIEM integration.

12-month retention · Append-only logs

Penetration Testing

TerraBog undergoes annual penetration testing by independent security firms. Critical findings are remediated within 30 days; high-severity within 60 days. Summaries of findings are available to Enterprise customers under NDA.

Annual third-party testing · NDA disclosure

Compliance & Standards

Certifications and regulatory compliance

TerraBog maintains third-party certifications and complies with applicable privacy regulations. Certification documentation is available to enterprise customers under NDA.

Certified

SOC 2

Type II

AICPA Trust Services Criteria

Annual audit conducted by independent third-party auditors. Covers Security, Availability, and Confidentiality Trust Service Criteria across all production systems and processes.

Request SOC 2 Report
Compliant

GDPR

Compliant

EU Regulation 2016/679

Full data subject rights implemented including right to access, rectification, erasure, and portability. Standard Contractual Clauses available for international data transfers outside the EEA.

View Privacy Policy
Planned Q3 2026

ISO 27001

Assessment

ISO/IEC 27001:2022

Formal ISO/IEC 27001:2022 assessment is underway. Information Security Management System documentation is available to prospective Enterprise customers under NDA upon request.

Assessment in progress

Available

DPA

Available

Data Processing Agreement

Standard Data Processing Agreement available for all customers. Custom DPAs reviewed for Enterprise accounts within 5 business days. Includes full sub-processor list and transfer mechanisms.

Download DPA

Data Protection

Encryption and authentication specifications

Technical specifications for how TerraBog protects data at every layer of the stack.

Encryption at Rest

AlgorithmAES-256-GCM
Key ManagementAWS KMS — FIPS 140-2 Level 2
Key RotationAutomatic, every 90 days
ScopeAll customer data, databases, file storage, and backups

Encryption in Transit

ProtocolTLS 1.3 (1.2 minimum, 1.0 disabled)
CertificateRSA 2048-bit minimum, ECDSA P-256 preferred
HSTSEnforced, max-age 31536000 seconds
Forward SecrecyEnabled on all endpoints

API Authentication

MethodBearer tokens (JWT) and API keys
Token ExpiryAccess: 1 hour · Refresh: 30 days
Webhook SigningHMAC-SHA256 signature verification
Rate LimitingPer-key limits with exponential backoff

Infrastructure & Hosting

Cloud-native, resilient, and redundant

TerraBog's infrastructure is designed for high availability with no single points of failure and fully automated operational procedures.

Multi-Region Deployment

TerraBog operates across three AWS regions: us-east-1 (primary), eu-west-1 (EU data residency option), and ap-southeast-1. Traffic is automatically routed to the nearest healthy region.

3

Active Regions

99.99%

Uptime SLA

Automated Backups

Full database snapshots run every 6 hours. Incremental backups every 15 minutes. All backups are encrypted, replicated cross-region, and retained for 90 days with point-in-time restore.

15 min

RPO

90 days

Retention

Disaster Recovery

Documented disaster recovery procedures define recovery objectives by incident severity. Cross-region failover is rehearsed quarterly in a dedicated staging environment isolated from production.

4 hours

RTO (P1)

Quarterly

DR Tests

Infrastructure as Code

All infrastructure is defined in version-controlled Terraform configurations. Configuration drift is detected in real time. No manual infrastructure changes are permitted in production environments.

100%

IaC Coverage

Automated

Change Control

Access & Identity Controls

Who can access what, and how

TerraBog enforces rigorous access controls from authentication at the perimeter through permissions on individual resources.

Single Sign-On

SAML 2.0OIDCOktaAzure ADGoogle Workspace

Enterprise SSO via SAML 2.0 or OpenID Connect. Pre-built connectors for Okta, Azure Active Directory, and Google Workspace. Available on all Enterprise plans. JIT user provisioning supported.

Multi-Factor Authentication

TOTPSMSFIDO2 / WebAuthnPasskeys

MFA required for all team member accounts. Supports authenticator apps, SMS, hardware security keys (FIDO2/WebAuthn), and passkeys. Administrators can enforce MFA workspace-wide with no exceptions.

Role-Based Permissions

OwnerAdminAnalystViewer

Four built-in roles with distinct, non-overlapping permission boundaries. Custom roles available on Enterprise. All permission changes are logged. Resource-level access grants supported for sensitive data sources.

Session Management

8-hour idle timeoutDevice managementConcurrent limitsForce revocation

Sessions expire automatically after 8 hours of inactivity. Administrators can enumerate and terminate active sessions across all devices. Configurable concurrent session limits enforced at workspace level.

Incident Response

Defined procedures and transparent communication

All security incidents follow a documented runbook with defined response time objectives at each phase. Customers are kept informed throughout any event that affects their data.

01

Detection

< 5 min

Automated monitoring systems detect anomalies and issue alerts. All alerts are immediately routed to the on-call security engineer via PagerDuty with full context.

02

Assessment

< 30 min

On-call engineer triages the alert, determines severity (P1–P4), and activates the appropriate incident response runbook. Initial severity may be upgraded as more information becomes available.

03

Containment

< 4 hrs (P1)

Affected systems are isolated or quarantined. Automated circuit breakers and rollback procedures are engaged to minimize blast radius and prevent further data exposure.

04

Notification

< 24 hrs

Affected customers notified per contractual and regulatory requirements within 24 hours of a confirmed data breach. Live status updates posted to status.terrabog.com throughout the event.

05

Post-Incident

< 5 days

Full root cause analysis completed and remediation report published within five business days. Findings and preventive measures are reviewed with affected customers upon request.

Responsible Disclosure

If you discover a security vulnerability in TerraBog's products or infrastructure, please report it to security@terrabog.com. We acknowledge all reports within 24 hours and aim to resolve critical issues within 30 days. We do not pursue legal action against good-faith researchers.

Report a vulnerability

Security Documentation

Need Detailed Security
Documentation?

Our security team can provide SOC 2 reports, custom DPAs, penetration test summaries, and architecture documentation to support your vendor assessment process.

Quick Reference

SOC 2 Type IICertified
GDPRCompliant
ISO 27001Planned Q3'26
EncryptionAES-256-GCM
TransportTLS 1.3+
Uptime SLA99.99%
Pen TestAnnual
Data ResidencyUS / EU