Security posture

How we secure Control One

Last updated: 2026-04-25

Encryption

TLS 1.3 in transit. AES-256-GCM at rest for credentials, API keys, and SSH CA private keys. Operators never see plaintext after first save.

Authentication

OIDC for human users; mTLS for nodes. WebAuthn (FIDO2) and TOTP for step-up MFA on the highest-risk actions. Bastion access uses short-lived SSH certificates issued per session.

Audit + observability

Append-only audit log mapped to SOC 2 Common Criteria and ISO 27001 Annex A controls. OpenTelemetry traces. Tamper-evident session recordings.

Vulnerability handling

Report vulnerabilities to [email protected]. We acknowledge within 24 hours and aim for fix or mitigation within 7 days for critical findings.

Compliance posture

The platform is mapped to SOC 2 Type II, ISO 27001:2022, CIS Benchmarks, and PCI DSS. Customer evidence packs export from the operator console.

Coordinated disclosure

We credit reporters in our security advisories with their consent. No bug bounty programme yet — direct rewards considered case by case.