Security

Security at Subnomic

Security isn't a feature bolted on afterwards — it's the architecture. Here's how we protect your infrastructure and your data.

No inbound ports

The agent dials out over TLS. Port 22 stays closed — there's nothing to port-scan or brute-force.

No standing credentials

Access is just-in-time and time-boxed. With no long-lived keys, there's nothing to harvest or reuse.

Encrypted everywhere

All traffic is encrypted with TLS in transit, and sensitive data is encrypted at rest.

Full session recording

Every session is captured and replayable, tied to the user, host and policy that authorized it.

Granular RBAC

Least-privilege roles map users to hosts and actions, so people get only what they need.

Self-hostable

Run the control plane in your own infrastructure so recordings, metrics and audit logs never leave.

Architecture

Subnomic follows Zero Trust principles: no host is reachable by default and no access is standing. The agent establishes an outbound, mutually authenticated TLS connection to the control plane; SSH and management traffic is tunneled back through that connection. Because the agent always initiates the connection, there is no inbound port for an attacker to reach — even if they know your IP address.

Identity & access

Every human, machine and AI agent is bound to a strong cryptographic identity. Privileges are granted just-in-time, scoped by RBAC to specific hosts and actions, and expire automatically. This collapses the lateral attack surface toward zero.

Data protection

We encrypt data in transit with TLS and encrypt sensitive data at rest. The agent collects operational metrics and session activity but does not read application data unless you explicitly grant access through a policy. Retention is configurable per plan, and self-hosted deployments keep all data within your own environment.

Operational security

  • Least-privilege access to production systems for our team;
  • Audit logging of administrative actions;
  • Secure software development practices and dependency monitoring;
  • Regular review of access and controls.

Compliance

We design our controls to be SOC 2-ready and to support your own compliance obligations. If you need specific documentation for a security review, contact security@subnomic.com.

Sub-processors

We use a small set of vetted sub-processors to operate the Services, each bound by data protection obligations. The current list is on our Subprocessors page.

Reporting a vulnerability

Found a security issue? We welcome reports through our Responsible Disclosure process. Please do not disclose issues publicly until we've had a chance to remediate.