256-bit TLS
TLS 1.2+ with strong ciphers. Every API call, agent heartbeat, and browser session is encrypted on the wire.
Your inventory data is worth protecting. We build for that from day one, not as a late add-on.
Built by a cybersecurity professional, the platform is designed to protect device and software inventory end to end: strong transport and storage, least-privilege access, verifiable agents, and audit trails you can actually use in a review.
How we think about risk
Three commitments you will see in the actual product, not only on a slide.
TLS on the wire, protected storage, and careful handling of secrets so inventory isn’t readable to whoever sits on the network path.
Signed agents, scoped API keys, and tamper detection so the device reporting into your org matches the software you expect, not a swapped binary.
Audit logs and monitoring hooks that matter when someone asks “who changed what, and when?” They matter during incidents and compliance reviews alike.
Data lifecycle
Encryption in transit and at rest, plus a database layer built to avoid whole classes of attacks.
TLS 1.2+ with strong ciphers. Every API call, agent heartbeat, and browser session is encrypted on the wire.
Your inventory, software catalog, and compliance data stay protected at rest, not only in transit.
Type-safe, parameterized access. Fewer injection footguns and stronger guarantees that data matches your schema.
Identity
Accounts are the front door. We combine MFA, short-lived sessions, and roles so the right people see the right inventory, without turning every login into a ticket.
Endpoints
Installers you can verify, binaries that resist tampering, and API keys that can be rotated and scoped.
If you can’t trust what’s installed on the machine, you can’t trust the inventory. Signing, notarization, and key hygiene are how we keep the agent honest.
Design principle
Windows and macOS agents are signed so users can confirm software came from InventoryOS.
macOS packages meet Gatekeeper checks before they ever run on a device.
Unexpected changes to the agent can be detected and acted on, so modified binaries don’t blend in.
Rotate keys with grace periods for running integrations. Scope keys to orgs or actions so each automation gets minimum access.
Platform
Managed hosting, sane patching, and edge protections. The table below has the specifics when you want them.
TLS termination and DDoS protections from providers built for global traffic, so we focus on the app instead of building a CDN from scratch.
Dependencies and agents move on a steady cadence; critical issues don’t wait for the next quarterly window.
Rate limits and CSRF controls cut down automated noise and cross-site trickery.
| Layer | What you should know |
|---|---|
| Hosting | API on Render, web on Vercel: DDoS mitigation, TLS termination, and scaling we don’t have to reinvent. |
| Patching | Platform and agents get updates on a steady cadence; critical fixes jump the line. |
| CSRF | State-changing requests are bound to real sessions so random sites can’t fire actions as your users. |
| Rate limits | Auth and API routes are throttled to slow brute-force and noisy clients. |
| Security headers | HSTS, CSP, X-Frame-Options, and similar headers for browser-side hardening against common web bugs. |
Visibility
See who did what, catch odd API behavior early, and ship failures to Sentry for fast triage. Evidence first, not guesswork.
Audit trail
User actions, API calls, and system events are logged for compliance reviews and incident response, not just “trust us.”
Unusual API key patterns surface before they become a headline.
Role and permission edits are tracked; escalation attempts get flagged.
Exceptions land in Sentry with context so we fix root causes, including security-relevant failures first.
Application layer
How we validate input, prove webhook authenticity, and keep browsers from leaking your API to random origins.
Requests are checked against schemas before they touch business logic, together with parameterized queries and encoding to choke XSS and injection.
Receivers verify payloads with shared secrets so traffic in transit can’t be silently rewritten.
Only allow-listed origins can call the API from the browser. No drive-by reads of tenant data.
Roadmap
We’re building toward the attestations enterprise teams expect, with clear intent and without hype. Audit logs, access controls, and encryption in place today are the same foundation auditors ask about tomorrow.
On our roadmap: controls, evidence, and processes designed for a future SOC 2 Type II audit. We do not currently claim SOC 2 compliance.
See the controls in action
14-day free trial. No credit card required. Full Professional plan access.