Trust

Security at Trident

Effective June 3, 2026

Trident is built and operated to meet the security expectations of the teams that depend on it. This page summarizes our security program, the compliance frameworks we follow, and how to report issues.

For diligence requests, our written summary, subprocessor list, and audit attestations are available under NDA on request to dekai@usetrident.dev.

Our commitment

We design Trident around three commitments:

  • Customer Data stays the customer’s. We act as a processor and use Customer Data only to deliver the Services, not to train third-party general-purpose AI models.
  • Least-privilege by default. Production access is granted on a need-to-have basis, reviewed quarterly, and revoked when no longer needed.
  • Honest about what we do and don’t do. Where a control is still maturing, we say so to customers and auditors and document the path forward.

Compliance

  • SOC 2 Type 1 — Esprit Labs has completed preparation for a SOC 2 Type 1 audit by an AICPA-licensed firm. The report is available under NDA from our Trust Center on request.
  • SOC 2 Type 2 — observation window planned to commence following Type 1 issuance. The Type 2 report will be made available under NDA when issued.
  • Continuous monitoring — we use a recognized continuous compliance platform to monitor our control posture between audits.

Architecture

Trident runs on managed cloud platforms with regional data residency in the United States. Customer Data is logically segregated by tenant. Production and non-production environments are isolated. External traffic is delivered through a managed edge network with DDoS protection, WAF, and bot management enabled.

Data protection

  • Encryption in transit — TLS 1.2 or higher on all external interfaces.
  • Encryption at rest — managed encryption on all primary datastores using industry-standard ciphers.
  • Secrets management — application secrets are stored in managed secret stores; access is logged and reviewed.
  • Backups — automated point-in-time backups on primary datastores; recovery procedures are exercised on a defined schedule.

Access and identity

  • SSO — workforce access to internal systems is federated through our identity provider.
  • Multi-factor authentication — required for all personnel on production-bearing systems.
  • Quarterly access reviews — production access is reviewed against the active personnel list and revoked where not justified.

Monitoring and response

We continuously monitor application errors, runtime anomalies, and edge traffic patterns. On-call coverage is maintained for security-relevant events. Incidents are triaged, contained, and communicated to affected customers in accordance with our Incident Response policy and contractual SLAs.

Secure development

  • All production changes flow through reviewed pull requests.
  • Branch protection prevents direct pushes to production branches and requires reviewer approval before merge.
  • Dependency vulnerabilities are tracked with severity-based remediation SLAs.
  • Material code changes are exercised by automated tests before deploy.

Personnel

All Esprit Labs personnel sign confidentiality and IP assignment agreements at hire and complete security awareness training on an annual cycle. Endpoint posture is managed for personnel with access to production systems.

Subprocessors

We use a small set of well-known subprocessors for cloud hosting, identity, observability, email delivery, payment processing, customer support, and compliance monitoring. Each subprocessor is assessed for security posture and operates under a written agreement that includes appropriate confidentiality and data-protection obligations.

A current subprocessor list is available on request to dekai@usetrident.dev. We notify customers in writing in advance of material changes to the list.

Vulnerability disclosure

Security researchers and customers can report suspected vulnerabilities to dekai@usetrident.dev.

  • We acknowledge reports within one business day and target triage within five business days.
  • We follow a coordinated disclosure approach with a default ninety-day window, adjustable by mutual agreement.
  • Researchers acting in good faith and following published rules of engagement are welcome; we do not pursue legal action against good-faith research that complies with this policy.
  • We do not currently operate a paid bug bounty program. We credit researchers in coordinated disclosures with consent, and may authorize a reward for severe findings on a case-by-case basis.

Out of scope

  • Subprocessor systems — please report directly to the affected vendor.
  • Personal accounts or devices of personnel.
  • Customer-owned systems that Trident is configured to scan or monitor.
  • Reports lacking enough information to reproduce the issue.

Contact

Esprit Labs Inc.
San Francisco, California, USA
dekai@usetrident.dev