TerraBogSecurity & Compliance

Trust Center

Security, Privacy, and
Reliability by Design

TerraBog is built with enterprise-grade security controls to protect your data, ensure compliance, and maintain operational reliability. This page describes our security posture in full.

SOC 2 Type II

GDPR Compliant

HIPAA Ready

DPA Available

AES-256 Encrypted

PII Auto-Masking

Last reviewed: February 2026 · Questions? security@terrabog.com

Jump toSecurity Principles Compliance & Standards Data Protection Infrastructure Access & Identity Incident Response

Security Principles

How we protect your data

TerraBog's security architecture follows a defense-in-depth model with multiple independent controls at every layer.

Data Encryption In Transit and At Rest

All customer data is encrypted at rest using AES-256-GCM and in transit using TLS 1.3+. Encryption keys are managed through Google Cloud KMS with automatic rotation. BigQuery and Cloud SQL encrypt all data at rest by default.

AES-256-GCM · TLS 1.3+ · Google Cloud KMS

Role-Based Access Control

Every resource in TerraBog enforces granular, role-based permissions. Users receive the minimum access required for their function. Privilege escalation requires manager approval and is automatically logged. Access reviews run quarterly.

4 Permission Levels · Quarterly Reviews

Tenant Isolation

Customer data is logically isolated using row-level tenant_id filtering across all tables in BigQuery and Cloud SQL. VPC networks segment production from staging and development. All queries are scoped to the authenticated tenant.

Row-level tenant_id · VPC Segmentation

Continuous Monitoring

All production systems are monitored 24/7 for anomalous behavior, unauthorized access attempts, and performance degradation. Automated alerting routes to the on-call security engineer within five minutes of anomaly detection.

24/7 SOC · < 5 min alert latency

Audit Logging

Every user action, API call, and administrative operation is recorded in append-only, tamper-evident audit logs. Logs are retained for 12 months and are exportable by Enterprise customers for SIEM integration.

12-month retention · Append-only logs

Penetration Testing

TerraBog undergoes annual penetration testing by independent security firms. Critical findings are remediated within 30 days; high-severity within 60 days. Summaries of findings are available to Enterprise customers under NDA.

Annual third-party testing · NDA disclosure

Compliance & Standards

Certifications and regulatory compliance

TerraBog maintains third-party certifications and complies with applicable privacy regulations. Certification documentation is available to enterprise customers under NDA.

Certified

SOC 2

Type II

AICPA Trust Services Criteria

Annual audit conducted by independent third-party auditors. Covers Security, Availability, and Confidentiality Trust Service Criteria across all production systems and processes.

Request SOC 2 Report

Compliant

GDPR

Compliant

EU Regulation 2016/679

Full data subject rights implemented including right to access, rectification, erasure, and portability. Standard Contractual Clauses available for international data transfers outside the EEA.

View Privacy Policy

Ready

HIPAA

Ready

Health Insurance Portability

HIPAA-ready infrastructure with PII auto-detection and masking, encryption at rest and in transit, audit logging, and BAA available for Enterprise customers handling protected health information.

Request BAA

Available

DPA

Available

Data Processing Agreement

Standard Data Processing Agreement available for all customers. Custom DPAs reviewed for Enterprise accounts within 5 business days. Includes full sub-processor list and transfer mechanisms.

Download DPA

Data Protection

Encryption and authentication specifications

Technical specifications for how TerraBog protects data at every layer of the stack.

Encryption at Rest

AlgorithmAES-256-GCM

Key ManagementGoogle Cloud KMS with automatic rotation

Key RotationAutomatic, every 90 days

ScopeAll customer data, BigQuery, Cloud SQL, GCS, and backups

Encryption in Transit

ProtocolTLS 1.3 (1.2 minimum, 1.0 disabled)

CertificateRSA 2048-bit minimum, ECDSA P-256 preferred

HSTSEnforced, max-age 31536000 seconds

Forward SecrecyEnabled on all endpoints

API Authentication

MethodBearer tokens (JWT) and API keys

Token ExpiryAccess: 1 hour · Refresh: 30 days

Webhook SigningHMAC-SHA256 signature verification

Rate LimitingPer-key limits with exponential backoff

Infrastructure & Hosting

Cloud-native, resilient, and redundant

TerraBog's infrastructure is designed for high availability with no single points of failure and fully automated operational procedures.

GCP Cloud-Native Deployment

TerraBog runs on Google Cloud Platform with Cloud Run (auto-scaling containers), BigQuery (data warehouse), Cloud SQL (metadata), and GCS (file storage). Production is deployed in us-central1 with multi-region data residency options available for Enterprise.

GCP

Platform

99.9%

Uptime SLA

Automated Backups

Cloud SQL automated backups run daily with point-in-time recovery. BigQuery data is automatically replicated and durable. GCS objects are stored with multi-region redundancy. All backups are encrypted at rest.

Point-in-time

Recovery

90 days

Retention

Disaster Recovery

Documented disaster recovery procedures define recovery objectives by incident severity. Cross-region failover is rehearsed quarterly in a dedicated staging environment isolated from production.

4 hours

RTO (P1)

Quarterly

DR Tests

Infrastructure as Code

All infrastructure is defined in version-controlled Terraform configurations. Configuration drift is detected in real time. No manual infrastructure changes are permitted in production environments.

100%

IaC Coverage

Automated

Change Control

Access & Identity Controls

Who can access what, and how

TerraBog enforces rigorous access controls from authentication at the perimeter through permissions on individual resources.

Single Sign-On & SCIM

SAML 2.0OIDCSCIM 2.0OktaAzure ADGoogle Workspace

Enterprise SSO via SAML 2.0 or OpenID Connect with SCIM 2.0 directory provisioning. Pre-built connectors for Okta, Azure Active Directory, and Google Workspace. JIT user provisioning and IP allowlist enforcement supported.

Multi-Factor Authentication

TOTPSMSFIDO2 / WebAuthnPasskeys

MFA required for all team member accounts. Supports authenticator apps, SMS, hardware security keys (FIDO2/WebAuthn), and passkeys. Administrators can enforce MFA workspace-wide with no exceptions.

Role-Based Permissions

OwnerAdminAnalystViewer

Four built-in roles with distinct, non-overlapping permission boundaries. Custom roles available on Enterprise. All permission changes are logged. Resource-level access grants supported for sensitive data sources.

Session Management

8-hour idle timeoutDevice managementConcurrent limitsForce revocation

Sessions expire automatically after 8 hours of inactivity. Administrators can enumerate and terminate active sessions across all devices. Configurable concurrent session limits enforced at workspace level.

Incident Response

Defined procedures and transparent communication

All security incidents follow a documented runbook with defined response time objectives at each phase. Customers are kept informed throughout any event that affects their data.

Detection

< 5 min

Automated monitoring systems detect anomalies and issue alerts. All alerts are immediately routed to the on-call security engineer via PagerDuty with full context.

Assessment

< 30 min

On-call engineer triages the alert, determines severity (P1–P4), and activates the appropriate incident response runbook. Initial severity may be upgraded as more information becomes available.

Containment

< 4 hrs (P1)

Affected systems are isolated or quarantined. Automated circuit breakers and rollback procedures are engaged to minimize blast radius and prevent further data exposure.

Notification

< 24 hrs

Affected customers notified per contractual and regulatory requirements within 24 hours of a confirmed data breach. Live status updates posted to status.terrabog.com throughout the event.

Post-Incident

< 5 days

Full root cause analysis completed and remediation report published within five business days. Findings and preventive measures are reviewed with affected customers upon request.

Responsible Disclosure

If you discover a security vulnerability in TerraBog's products or infrastructure, please report it to security@terrabog.com. We acknowledge all reports within 24 hours and aim to resolve critical issues within 30 days. We do not pursue legal action against good-faith researchers.

Report a vulnerability

Security Documentation

Need Detailed Security
Documentation?

Our security team can provide SOC 2 reports, custom DPAs, penetration test summaries, and architecture documentation to support your vendor assessment process.

Contact Our Security Team Download Security Overview

Quick Reference

SOC 2 Type IICertified

GDPRCompliant

HIPAAReady

EncryptionAES-256-GCM

TransportTLS 1.3+

Uptime SLA99.9%

PII MaskingAutomatic

PlatformGCP

security@terrabog.com

TerraBogSecurity & Compliance

Trust Center

Security, Privacy, and
Reliability by Design

TerraBog is built with enterprise-grade security controls to protect your data, ensure compliance, and maintain operational reliability. This page describes our security posture in full.

SOC 2 Type II

GDPR Compliant

HIPAA Ready

DPA Available

AES-256 Encrypted

PII Auto-Masking

Last reviewed: February 2026 · Questions? security@terrabog.com

Jump toSecurity Principles Compliance & Standards Data Protection Infrastructure Access & Identity Incident Response

Security Principles

How we protect your data

TerraBog's security architecture follows a defense-in-depth model with multiple independent controls at every layer.

Data Encryption In Transit and At Rest

AES-256-GCM · TLS 1.3+ · Google Cloud KMS

Role-Based Access Control

4 Permission Levels · Quarterly Reviews

Tenant Isolation

Row-level tenant_id · VPC Segmentation

Continuous Monitoring

24/7 SOC · < 5 min alert latency

Audit Logging

12-month retention · Append-only logs

Penetration Testing

Annual third-party testing · NDA disclosure

Compliance & Standards

Certifications and regulatory compliance

TerraBog maintains third-party certifications and complies with applicable privacy regulations. Certification documentation is available to enterprise customers under NDA.

Certified

SOC 2

Type II

AICPA Trust Services Criteria

Annual audit conducted by independent third-party auditors. Covers Security, Availability, and Confidentiality Trust Service Criteria across all production systems and processes.

Request SOC 2 Report

Compliant

GDPR

Compliant

EU Regulation 2016/679

Full data subject rights implemented including right to access, rectification, erasure, and portability. Standard Contractual Clauses available for international data transfers outside the EEA.

View Privacy Policy

Ready

HIPAA

Ready

Health Insurance Portability

HIPAA-ready infrastructure with PII auto-detection and masking, encryption at rest and in transit, audit logging, and BAA available for Enterprise customers handling protected health information.

Request BAA

Available

DPA

Available

Data Processing Agreement

Standard Data Processing Agreement available for all customers. Custom DPAs reviewed for Enterprise accounts within 5 business days. Includes full sub-processor list and transfer mechanisms.

Download DPA

Data Protection

Encryption and authentication specifications

Technical specifications for how TerraBog protects data at every layer of the stack.

Encryption at Rest

AlgorithmAES-256-GCM

Key ManagementGoogle Cloud KMS with automatic rotation

Key RotationAutomatic, every 90 days

ScopeAll customer data, BigQuery, Cloud SQL, GCS, and backups

Encryption in Transit

ProtocolTLS 1.3 (1.2 minimum, 1.0 disabled)

CertificateRSA 2048-bit minimum, ECDSA P-256 preferred

HSTSEnforced, max-age 31536000 seconds

Forward SecrecyEnabled on all endpoints

API Authentication

MethodBearer tokens (JWT) and API keys

Token ExpiryAccess: 1 hour · Refresh: 30 days

Webhook SigningHMAC-SHA256 signature verification

Rate LimitingPer-key limits with exponential backoff

Infrastructure & Hosting

Cloud-native, resilient, and redundant

TerraBog's infrastructure is designed for high availability with no single points of failure and fully automated operational procedures.

GCP Cloud-Native Deployment

GCP

Platform

99.9%

Uptime SLA

Automated Backups

Point-in-time

Recovery

90 days

Retention

Disaster Recovery

Documented disaster recovery procedures define recovery objectives by incident severity. Cross-region failover is rehearsed quarterly in a dedicated staging environment isolated from production.

4 hours

RTO (P1)

Quarterly

DR Tests

Infrastructure as Code

All infrastructure is defined in version-controlled Terraform configurations. Configuration drift is detected in real time. No manual infrastructure changes are permitted in production environments.

100%

IaC Coverage

Automated

Change Control

Access & Identity Controls

Who can access what, and how

TerraBog enforces rigorous access controls from authentication at the perimeter through permissions on individual resources.

Single Sign-On & SCIM

SAML 2.0OIDCSCIM 2.0OktaAzure ADGoogle Workspace

Multi-Factor Authentication

TOTPSMSFIDO2 / WebAuthnPasskeys

MFA required for all team member accounts. Supports authenticator apps, SMS, hardware security keys (FIDO2/WebAuthn), and passkeys. Administrators can enforce MFA workspace-wide with no exceptions.

Role-Based Permissions

OwnerAdminAnalystViewer

Session Management

8-hour idle timeoutDevice managementConcurrent limitsForce revocation

Incident Response

Defined procedures and transparent communication

All security incidents follow a documented runbook with defined response time objectives at each phase. Customers are kept informed throughout any event that affects their data.

Detection

< 5 min

Automated monitoring systems detect anomalies and issue alerts. All alerts are immediately routed to the on-call security engineer via PagerDuty with full context.

Assessment

< 30 min

On-call engineer triages the alert, determines severity (P1–P4), and activates the appropriate incident response runbook. Initial severity may be upgraded as more information becomes available.

Containment

< 4 hrs (P1)

Affected systems are isolated or quarantined. Automated circuit breakers and rollback procedures are engaged to minimize blast radius and prevent further data exposure.

Notification

< 24 hrs

Affected customers notified per contractual and regulatory requirements within 24 hours of a confirmed data breach. Live status updates posted to status.terrabog.com throughout the event.

Post-Incident

< 5 days

Full root cause analysis completed and remediation report published within five business days. Findings and preventive measures are reviewed with affected customers upon request.

Responsible Disclosure

Report a vulnerability

Security Documentation

Need Detailed Security
Documentation?

Our security team can provide SOC 2 reports, custom DPAs, penetration test summaries, and architecture documentation to support your vendor assessment process.

Contact Our Security Team Download Security Overview

Quick Reference

SOC 2 Type IICertified

GDPRCompliant

HIPAAReady

EncryptionAES-256-GCM

TransportTLS 1.3+

Uptime SLA99.9%

PII MaskingAutomatic

PlatformGCP

security@terrabog.com

Security, Privacy, and Reliability by Design

How we protect your data

Data Encryption In Transit and At Rest

Role-Based Access Control

Tenant Isolation

Continuous Monitoring

Audit Logging

Penetration Testing

Certifications and regulatory compliance

Encryption and authentication specifications

Encryption at Rest

Encryption in Transit

API Authentication

Cloud-native, resilient, and redundant

GCP Cloud-Native Deployment

Automated Backups

Disaster Recovery

Infrastructure as Code

Who can access what, and how

Single Sign-On & SCIM

Multi-Factor Authentication

Role-Based Permissions

Session Management

Defined procedures and transparent communication

Detection

Assessment

Containment

Notification

Post-Incident

Need Detailed Security Documentation?

Security, Privacy, and Reliability by Design

How we protect your data

Data Encryption In Transit and At Rest

Role-Based Access Control

Tenant Isolation

Continuous Monitoring

Audit Logging

Penetration Testing

Certifications and regulatory compliance

Encryption and authentication specifications

Encryption at Rest

Encryption in Transit

API Authentication

Cloud-native, resilient, and redundant

GCP Cloud-Native Deployment

Automated Backups

Disaster Recovery

Infrastructure as Code

Who can access what, and how

Single Sign-On & SCIM

Multi-Factor Authentication

Role-Based Permissions

Session Management

Defined procedures and transparent communication

Detection

Assessment

Containment

Notification

Post-Incident

Need Detailed Security Documentation?

Security, Privacy, and
Reliability by Design

Need Detailed Security
Documentation?

Security, Privacy, and
Reliability by Design

Need Detailed Security
Documentation?