> ## Documentation Index
> Fetch the complete documentation index at: https://tero-0926be64-video-walkthrough.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Security, privacy, and compliance posture for Tero-hosted and self-hosted deployments.

export const securityEmail = "security@usetero.com";

<Badge>Last reviewed: March 5, 2026</Badge>
<Badge>Owner: Security + Engineering</Badge>
<Badge>Review cadence: Quarterly</Badge>
<Badge color="orange">Status: In progress</Badge>

You need fast, concrete answers: what Tero operates, what data it handles, where responsibility splits, and what evidence you can get.

## Reviewer focus

* What is live today versus still in progress
* What changes between Tero-hosted and self-hosted deployments
* Where to go next for architecture, ownership, and evidence details

## Implementation status (March 5, 2026)

| Topic               | Status                                                       |
| ------------------- | ------------------------------------------------------------ |
| SOC 2 Type II       | In progress (target: July 2026)                              |
| Encryption          | Enabled in transit and at rest                               |
| Deployment models   | Tero-hosted and self-hosted                                  |
| AI provider options | Hosted default provider plus bring-your-own provider options |

<Note>
  If a control is in progress, we mark it as in progress.
</Note>

## Start your review

<CardGroup cols={3}>
  <Card title="Security Architecture" icon="diagram-project" href="/trust/architecture" horizontal>
    End-to-end request flow, trust boundaries, and control points.
  </Card>

  <Card title="Shared Responsibility" icon="people-arrows" href="/trust/shared-responsibility" horizontal>
    Ownership split by deployment model.
  </Card>

  <Card title="Reviewer Map" icon="list-check" href="/trust/reviewer-map" horizontal>
    Questionnaire topic to page lookup.
  </Card>
</CardGroup>

## Deployment boundary at a glance

| Area                                   | Tero-hosted                           | Self-hosted                           |
| -------------------------------------- | ------------------------------------- | ------------------------------------- |
| Control plane runtime                  | Operated by Tero                      | Operated by customer                  |
| Network perimeter                      | Managed by Tero baseline controls     | Managed by customer                   |
| Data locality control                  | Tero-hosted region model              | Customer-chosen region/infrastructure |
| AI provider path                       | Hosted default and configured options | Customer-controlled provider path     |
| Infrastructure patching and operations | Tero                                  | Customer                              |

## Default hosted data scope

| Data class                                                 | Stored             | Why                                                  |
| ---------------------------------------------------------- | ------------------ | ---------------------------------------------------- |
| Account and workspace configuration                        | Yes                | Service configuration and access control             |
| Telemetry metadata (schemas, field types, volume patterns) | Yes                | Catalog, analysis, and policy generation             |
| Full raw telemetry content                                 | No (default model) | Source of record remains your observability platform |
| Authentication metadata                                    | Yes                | Session and access control                           |
| Billing records (self-service)                             | Limited scope only | Billing operations                                   |

## In practice

* Baseline integration does not require vendor-initiated inbound connectivity into your environment.
* Full raw telemetry is not the default hosted system-of-record data model.
* In self-hosted mode, you own the infrastructure and network control layers.

## Evidence path

| Topic                             | Public evidence                                                                 | Additional evidence (on request)                            |
| --------------------------------- | ------------------------------------------------------------------------------- | ----------------------------------------------------------- |
| Architecture and trust boundaries | [Security Architecture](/trust/architecture)                                    | Architecture walkthrough and control notes                  |
| Responsibility split              | [Shared Responsibility](/trust/shared-responsibility)                           | Deployment-specific control allocation review               |
| Encryption controls               | [Encryption Standard](/trust/policies/encryption-standard)                      | Platform control evidence and security review package       |
| Subprocessors and data handling   | [Subprocessors and Third Parties](/trust/assurance/subprocessors-third-parties) | Subprocessor and data-flow detail under NDA                 |
| AI data handling options          | [AI Data Controls](/trust/controls/ai-data-controls)                            | Deployment-specific model and provider configuration review |

## In progress

* SOC 2 Type II is in progress.
* Target issuance window: July 2026.

<Card title="Request security artifacts" icon="envelope" href={`mailto:${securityEmail}`} horizontal>
  Email **{securityEmail}** with your checklist, deployment model, and review timeline.
</Card>
