Our commitment to security
Security is fundamental to Triform. We implement industry-standard practices to protect your Projects, data, and credentials.Data encryption
At rest
All data stored in Triform is encrypted using AES-256 encryption. Encrypted data includes:- Project code and configurations
- Execution logs and traces
- Project Variables
- API keys
- User information
In transit
All communication with Triform uses TLS 1.2+ encryption. Encrypted connections:- Web interface (HTTPS)
- API requests (HTTPS)
- Webhook callbacks (HTTPS)
- Database connections (encrypted)
- Internal service communication (mutual TLS)
Authentication
Supported methods
OAuth 2.0 providers:- Discord
- GitHub
- No password management burden
- Leverage provider security (2FA, etc.)
- Single sign-on capabilities
Session management
Security features:- Sessions expire after inactivity
- IP address validation (optional)
- Device fingerprinting
- Concurrent session limits
- View active sessions
- Revoke individual sessions
- Revoke all sessions (sign out everywhere)
Two-factor authentication (2FA)
Strongly recommended for:- Organization Admins
- Users with deployment permissions
- Users handling sensitive Projects
- Authenticator apps (TOTP)
- SMS (where available)
- Backup codes
Authorization
Role-based access control (RBAC)
Organization roles:- Admin — Full access
- Editor — Create, edit, execute
- Viewer — Read-only
- Fine-grained per-Project overrides
- Specific user grants
- Temporary access grants
API key security
Best practices enforced:- Keys are hashed in storage (irreversible)
- Keys shown only once upon creation
- Keys can be scoped to specific Projects
- Keys can be restricted by permissions
- Keys can expire automatically
- Key usage is logged
- Store keys securely (environment variables, secret managers)
- Rotate keys regularly (90-day recommendation)
- Revoke unused keys
- Never commit to version control
Network security
API security
Protection mechanisms:- Rate limiting (prevents abuse)
- DDoS mitigation
- Input validation and sanitization
- Anomaly detection
- Suspicious activity alerts
- Failed authentication tracking
Webhook security
Verification options:- API key authentication
- Timestamp validation
- Nonce tracking
- Request idempotency
Code execution security
Sandboxed execution
Actions run in isolated environments: Isolation features:- Separate containers per execution
- No persistent file system
- Limited network access
- Resource quotas (CPU, memory, time)
- No access to Triform internals
- Access other users’ data
- Modify Triform infrastructure
- Persist data between executions (unless using provided storage)
- Execute arbitrary system commands
- Fork processes or spawn daemons
Dependency security
Automated scanning:- Check for known vulnerabilities in dependencies
- Alert on critical CVEs
- Suggest updates for vulnerable packages
- Keep dependencies updated
- Review security advisories
- Avoid deprecated packages
- Audit third-party packages
Code review
Recommended for sensitive Projects:- Peer review before deployment
- Automated security scanning
- Manual audit of high-risk components
Vulnerability management
Responsible disclosure
Found a security issue? We appreciate responsible disclosure. Reporting:- Email: security@triform.ai
- Include detailed description
- Steps to reproduce (if applicable)
- Potential impact assessment
- Acknowledge within 24 hours
- Triage and investigate promptly
- Keep you informed of progress
- Credit you in our security updates (unless anonymous)
- Publicly disclose before we’ve patched
- Exploit the vulnerability
- Access other users’ data
Security updates
Communication:- Critical issues: Email all users immediately
- High severity: Status page + email within 24 hours
- Medium/low: Included in regular updates
- Critical vulnerabilities: Emergency patch within hours
- High severity: Patch within 7 days
- Medium/low: Patch in next regular release
Incident response
Detection
Monitoring systems:- Failed authentication attempts
- Unusual API usage patterns
- Data exfiltration attempts
- Privilege escalation attempts
Response process
- Detect & triage — Identify and assess severity
- Contain — Limit impact, isolate affected systems
- Investigate — Determine root cause and scope
- Remediate — Fix vulnerability, restore service
- Communicate — Inform affected users
- Learn — Post-mortem, improve processes
User notification
We notify if:- Data breach occurs
- Unauthorized access detected
- Service compromise affects your Projects
- What happened
- What data was affected
- What we’ve done
- What you should do
User security responsibilities
Account security
Use strong passwords — If using email authentication
Monitor sessions — Review and revoke suspicious sessions
Keep email secure — Your account recovery method
API key security
Never commit keys to git — Use environment variables
Rotate keys regularly — Every 90 days recommended
Scope keys minimally — Only grant needed permissions
Revoke unused keys — Reduce attack surface
Code security
Validate inputs — Don’t trust external data
Sanitize outputs — Prevent injection attacks
Review dependencies — Check for vulnerabilities
Keep secrets in Project Variables — Never hardcode
Organization security
Audit members regularly — Remove ex-employees
Follow least privilege — Grant minimum necessary permissions
Security features roadmap
Coming soon:- SSO/SAML support (Enterprise)
- Advanced threat detection
- Custom security policies
- Bring Your Own Key (BYOK) encryption
- Enhanced audit logging
- Security compliance dashboards
Security resources
Contact
Security issues: security@triform.aiGeneral support: Join our Discord community
External resources
Questions?
If you have security questions or concerns:- Review the security documentation
- Contact security@triform.ai
- For Enterprise, contact your account manager