Security

Enterprise-grade security, built in

Your asset data is sensitive. Koopic protects it with database-level isolation, encryption at every layer, and a comprehensive audit trail.

Koopic protects multi-tenant asset data with database-level tenant isolation, end-to-end encryption for on-prem data collection, and a complete audit trail for every action. SSO is included on all paid tiers, with support for Microsoft Entra ID, Google Workspace, Okta, and Generic SAML 2.0.

Secure by architecture

Multi-Tenant Isolation

Database-level row isolation enforces tenant separation at the engine level. Every query is automatically scoped. No code path can leak cross-tenant data.

Cloud Infrastructure

Production runs on managed cloud infrastructure with read-only filesystems, resource limits, and automated container scanning.

End-to-End Encryption

On-premises data is protected with end-to-end encryption before leaving your network. Digital signatures verify the integrity of every push.

Fine-grained access control

Role-Based Access Control

Three roles, scoped by asset group

Every user is assigned a role within an organization. Viewer, member, and admin roles control read, write, and configuration access respectively. Asset groups let you further scope visibility to specific subsets of devices. Group managers enable delegated governance without granting full admin access.

  • JIT provisioning on first SSO login
  • SSO enforcement with backup account support
  • PKCE on all OIDC flows

SSO Providers

Provider Protocol Status
Microsoft Entra ID OIDC Production
Google Workspace OIDC Production
Okta SAML Production
Generic SAML 2.0 SAML Production

Continuous security

Automated Testing

Comprehensive test suites across backend, gateway, and agent. Every change is tested before deploy.

Security Reviews

Regular internal security reviews with all findings tracked and resolved.

Audit Trail

26 action types tracked with complete before/after change logging.

Compliance alignment

Koopic includes security controls and audit capabilities that support your compliance program — including access controls, encryption, and detailed audit logging.

  • Complete audit trail with CSV/JSON export

    Export up to 10,000 records per query for auditor review and evidence collection

  • Configurable retention

    90-day default retention with indefinite optional retention for regulated environments

Your data, your network

Agent Security

The Koopic Agent is designed for security-sensitive environments. Raw data never leaves your network unencrypted. The agent stores collected data locally in an encrypted SQLite database and only transmits encrypted payloads to Koopic Cloud over TLS 1.2+.

  • End-to-end encryption with per-session ephemeral keys
  • Digital signatures for anti-replay and integrity verification
  • Offline queue with automatic retry when connectivity is restored
  • Raw data stays in local SQLite — only encrypted payloads are transmitted

Data Flow

Customer Network

AD / LDAP

OCS Inventory

Koopic Agent

SQLite + Encrypted Storage

End-to-End Encrypted + TLS 1.2+

Koopic Cloud

Gateway API

Database + Isolation

Frequently Asked Questions

How does Koopic isolate tenant data?
Koopic uses database-level tenant isolation to enforce data separation at the engine level. Every query is automatically scoped to the requesting organization. No application code path can leak cross-tenant data, regardless of how the API is called.
Is data encrypted in transit and at rest?
Yes. All data in transit uses TLS 1.2+. On-premises data collected by the Koopic Agent is protected with end-to-end encryption before leaving your network. Credentials stored in the platform use AES encryption at rest.
Does Koopic support SSO?
Yes. SSO is included on all paid tiers — not locked behind Enterprise. Koopic supports Microsoft Entra ID (OIDC), Google Workspace (OIDC), Okta (SAML), and Generic SAML 2.0 with JIT provisioning and PKCE on all OIDC flows.
What does the audit trail capture?
Koopic logs every action with 26 distinct action types, including before/after change tracking. The audit trail covers user actions, API calls, integration syncs, rule evaluations, and administrative changes. Audit logs are immutable and available for export.
How does the on-prem agent protect data?
The Koopic Agent stores collected data in an encrypted local database and only transmits encrypted payloads to Koopic Cloud over TLS 1.2+. Digital signatures verify the integrity of every push. An offline queue ensures no data is lost during network interruptions.

Why teams choose Koopic

Unified

Asset Inventory

Custom

Compliance Rules

Full

Merge Transparency

Self-Serve

No Sales Calls

30 Days

Free Trial

Built for security-first organizations

Start your free trial with the same enterprise security from day one.

Start Free Trial Read Security Docs