A security tool should be secure.

Architecture

Tidelock runs on managed cloud infrastructure with hardened images, no public SSH, and no shared admin credentials. Production access is restricted to a small group of engineers, gated by SSO and short-lived credentials. We use the principle of least privilege — every service gets only the access it strictly needs.

Encryption

All traffic to Tidelock is served over TLS 1.2+ with strong cipher suites. Data is encrypted at rest using industry-standard algorithms. Backups are encrypted with separate keys and stored in a different region from the primary database.

What we store

Public certificate metadata, your contact preferences, and your account details. We never store private keys, full certificate bodies beyond what's publicly accessible, or any data that isn't already exposed to the public internet. Full breakdown in the Privacy Policy.

Access controls

Internal access requires SSO with phishing-resistant MFA. Production database access is logged, audited, and approved per session. We rotate credentials on a schedule and immediately when any team member leaves.

Monitoring

We monitor our own infrastructure for unusual activity, failed logins, and anomalous traffic. Critical alerts page someone 24/7. We do what we ask our customers to do: keep eyes on the things that matter.

Dependencies

We track our software dependencies and patch known vulnerabilities promptly — critical issues within 24 hours, others on a regular cadence. Our build pipeline runs automated security checks on every commit.

Compliance

Tidelock is in private beta. Formal certifications (SOC 2, ISO 27001) are on the roadmap once we're past general availability. If you have a compliance requirement that's a blocker for adopting Tidelock, tell us — it helps us prioritize.

Reporting a vulnerability

If you've found a security issue, please email security@tidelock.dev. We aim to acknowledge within 24 hours and resolve high-severity issues within 7 days. Please:

• Give us reasonable time to fix the issue before public disclosure
• Don't access data that isn't yours, and don't degrade service for other users
• Stick to non-destructive testing

In return, we won't pursue legal action against good-faith researchers, and we'll credit you (with your permission) once the fix ships.