Trust Center

Security at every layer

TucDesk's zero-trust architecture encrypts sessions end-to-end, cryptographically signs every audit entry, and gives operators full control over what runs on their infrastructure.

Cryptography
ED25519 + X25519 + AES-256-GCM
Relay Visibility
0 relay plaintext visibility
Audit Model
Tamper-evident audit
Encryption

Protocol and identity controls

TucDesk separates identity, transport, session encryption, and audit signing so compromise in one layer does not automatically expose plaintext or administrative control.

Transport: ED25519 + X25519

  • Every agent generates an ED25519 identity keypair at install.
  • Registration with rendezvous uses signed payloads.
  • Session establishment uses X25519 ECDH key exchange.
  • Session keys are ephemeral and not persisted.

Session: AES-256-GCM

  • All session traffic is encrypted with AES-256-GCM.
  • Keys are derived with HKDF label tucdesk-session-v1.
  • Replay protection uses an LRU and TTL nonce window.
  • Relay nodes receive ciphertext only.

Identity: No passwords in the data path

  • Agents are identified by cryptographic public key.
  • Operator proofs are EdDSA-signed messages with timestamp.
  • API tokens are short-lived JWTs signed with EdDSA.
  • Master credentials are hashed, never stored plaintext.

Audit: Tamper-evident logs

  • Every action produces a signed audit entry.
  • Audit key derives from TUCDESK_AUDIT_KEY_SECRET.
  • Entries include actor, action, timestamp, and context.
  • Exports can feed SIEM and compliance workflows.
Data Handling

Cloud and self-hosted boundaries

Data categoryCloudSelf-Hosted
Session recordingsEncrypted at rest in R2Encrypted in your MinIO/S3
Audit logsStored in TucDesk PostgresStored in your Postgres
Agent metadataTucDesk PostgresYour Postgres
Session trafficE2E encrypted, relay has no accessE2E encrypted, relay has no access
Operator credentialsHashed, TucDesk PostgresHashed, your Postgres
TucDesk visibilityAnalytics, usage, billingNone at runtime
Open Source

The infrastructure is auditable

API server

  • MIT license, source on GitHub
  • Protocol behavior is documented and testable.

Rendezvous server

  • MIT license, source on GitHub
  • Protocol behavior is documented and testable.

TURN relay

  • MIT license, source on GitHub
  • Protocol behavior is documented and testable.
Compliance

Roadmap and disclosure

Compliance roadmap

  • SOC 2 Type I in progress for Q3 2026.
  • SOC 2 Type II planned for Q1 2027.
  • ISO 27001 planned for 2027.
  • HIPAA BAA available on Enterprise.

Vulnerability disclosure

  • Report issues to security@tucdesk.app.
  • 90-day coordinated disclosure window.
  • Scope includes agent, API, dashboard, rendezvous, and TURN relay.