Security at FreeState

Your infrastructure state contains critical information. We implement enterprise-grade security measures to protect your data and ensure the integrity of your Terraform workflows.

Security is Our Foundation

At FreeState, security isn't an afterthought—it's built into every aspect of our service. We understand that your Terraform state files contain sensitive information about your infrastructure, and we've designed our platform with security as the highest priority.

Encryption Everywhere

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption with customer-managed keys.

Zero Trust Architecture

Every request is authenticated and authorized with fine-grained access controls and continuous security monitoring.

Complete Auditability

Comprehensive audit logs track every action with tamper-proof logging for compliance and forensic analysis.

Data Protection

Encryption at Rest

  • • AES-256 encryption for all stored data
  • • Customer-managed encryption keys (CMEK) available
  • • Hardware Security Module (HSM) key management
  • • Regular key rotation and lifecycle management

Encryption in Transit

  • • TLS 1.3 with perfect forward secrecy
  • • Certificate pinning and HSTS enforcement
  • • End-to-end encryption for all API communications
  • • Mutual TLS (mTLS) for high-security environments

Data Isolation

  • • Strict tenant isolation with encrypted boundaries
  • • Workspace-level access controls and permissions
  • • Network-level segmentation and isolation
  • • Private cloud and dedicated instance options

Access Control and Authentication

Multi-Factor Authentication

  • • Required for all user accounts
  • • TOTP and hardware key support
  • • SMS and email backup options
  • • SSO integration with SAML and OIDC

API Security

  • • API key authentication with scoped permissions
  • • Rate limiting and abuse detection
  • • IP whitelisting and geographic restrictions
  • • Short-lived tokens for enhanced security

Role-Based Access Control

  • • Fine-grained permissions system
  • • Workspace-level role assignments
  • • Just-in-time access for temporary permissions
  • • Regular access reviews and audits

Identity Management

  • • Enterprise directory integration
  • • Automated user provisioning and deprovisioning
  • • Group-based access management
  • • Session management and timeout controls

Infrastructure Security

Network Security

  • • Web Application Firewall (WAF)
  • • DDoS protection and mitigation
  • • Network intrusion detection
  • • VPC isolation and private networking
  • • Regular penetration testing
  • • Vulnerability scanning and assessment
  • • Security incident response team
  • • 24/7 security monitoring

Application Security

  • • Secure coding practices and reviews
  • • Static and dynamic security testing
  • • Dependency vulnerability scanning
  • • Container security and image scanning
  • • Runtime application protection
  • • Input validation and sanitization
  • • SQL injection and XSS prevention
  • • Regular security updates and patches

Compliance and Certifications

SOC 2

SOC 2 Type II

Annual security audits

ISO 27001

ISO 27001

Information security management

GDPR

GDPR Compliant

EU privacy regulations

HIPAA

HIPAA Ready

Healthcare data protection

Regulatory Compliance

FreeState maintains compliance with major security frameworks and regulations:

  • SOC 2 Type II: Annual third-party security audits validating our security controls
  • ISO 27001: International standard for information security management systems
  • GDPR: Full compliance with EU General Data Protection Regulation
  • HIPAA: Business Associate Agreement available for healthcare customers
  • PCI DSS: Payment card industry security standards for billing systems

Security Incident Response

24/7 Security Operations Center

  • • Continuous security monitoring and alerting
  • • Automated threat detection and response
  • • Security information and event management (SIEM)
  • • Dedicated security incident response team

Incident Communication

  • • Real-time status page updates
  • • Customer notification within 4 hours
  • • Detailed post-incident reports
  • • Regular security briefings for Enterprise customers

Response Process

1

Detection

Automated systems and monitoring detect potential threats

2

Assessment

Security team evaluates impact and develops response plan

3

Containment

Immediate actions to contain and mitigate the incident

4

Recovery

System restoration and post-incident analysis

Security Best Practices for Users

API Key Security

  • • Use environment variables or secure credential storage
  • • Never commit API keys to version control
  • • Rotate keys regularly (every 90 days recommended)
  • • Use workspace-scoped keys with minimal permissions
  • • Monitor API key usage and revoke unused keys

Network Security

  • • Use VPN connections for remote access
  • • Implement IP whitelisting for production workspaces
  • • Enable webhook signature verification
  • • Use private networking options when available
  • • Monitor access logs for unusual activity

Team Management

  • • Follow principle of least privilege for user access
  • • Regular access reviews and user audits
  • • Use SSO with multi-factor authentication
  • • Implement break-glass procedures for emergencies
  • • Document security procedures and policies

Security Contact

Found a security vulnerability? We appreciate responsible disclosure and will work with you to address any security concerns.

Security Team

security@freestate.cloud

PGP Key

Available for encrypted communications

Bug Bounty Program

Coming soon - responsible disclosure rewards