Phone Number +1-202-802-9399 (US)


Cornerstones of Thycotic Security


Transparency is one of our core values. You can always see the status of Thycotic solutions at

Security from the Ground Up

Thycotic’s solutions are built with security in mind from the start. We adhere to industry best practices such as the NIST Cyber Security Framework. Rigorous security testing is performed as part of ongoing software development and Quality Assurance checks. Our defenses include intrusion detection, Distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, machine learning, and a 24x7x365 Security Operations Center.

We also monitor and protect against the most critical web application security risks, such as SQL injection, cross site scripting, OWASP Top 10 and Automated Top 20 threats. Our threat data is continuously updated to protect against the latest attacks.

ISO 27001:2013

ISO 27001 is a globally recognized standard mandating numerous controls for the establishment, maintenance, and certification of an information security management system (ISMS). The standard ensures that organizations have established methodologies and a framework to business and IT processes to help identify, manage, and reduce risks to the security of information.

Data Privacy and Protection

Thycotic products and business practices are GDPR compliant. We are certified with the EU-US. Privacy Shield.

Our solutions help customers stay in compliance within a variety of cyber security and data protection regulations, including HIPAA, PCI, and industry-specific and regional requirements.

Cloud Platforms

Thycotic partners with Microsoft Azure and Amazon Web Services to deliver our cloud solutions and provide customers with state-of-the-art threat management and full redundancy. These platforms are FedRamp Certified as well as ISO/IEC 27001 compliant.


All cloud customer databases are backed up on a continual basis. Full database backups are created weekly, differential database backups are created approximately every 12 hours, and transaction log backups are created approximately every 5 – 10 minutes leading to an RPO of < 10 minutes. Database backups are asynchronously replicated to a geographically separate region with a geo-restore RPO of less than 1 hour.

Common Criteria (ISO/IEC 15408) Certified

Thycotic’s flagship product, Secret Server, is Common Criteria Certified in the United States and Canada and meets requirements for government use of IT security products.

SOC2 Type II

SOC 2 Type II reports are the most comprehensive certification within the Systems and Organization Controls protocol. Businesses seeking a vendor such as an SaaS provider will find SOC 2 Type II is the most useful certification when considering a possible service provider’s credentials.

A company that has achieved SOC 2 Type II certification has proven its system is designed to keep its clients’ sensitive data secure. When it comes to working with the cloud and related I.T. services, such performance and reliability is absolutely essential and increasingly required by regulators, examiners, and auditors.

Thycotic undergoes regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant.


All customer data is fully isolated and encrypted both in-transit and at rest, using the AES-256 standard encryption algorithm and PBKDF2-HMAC-SHA256 hashing algorithm. Thycotic utilizes private encryption keys for each customer, with third-party key management support (AWS KMS). All secrets are systematically “salted” before being hashed and encrypted with their own unique Initialization Vector and Key.

All connections to Secret Server Cloud are protected via Transport Layer Security (TLS). Distributed Engine communications are also secured with an additional encryption key unique to the tenant.


The National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) in response to Executive Order 13636. The framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Thycotic adheres to this framework. The security controls aligned with the NIST Cybersecurity Framework’s Core are tested as part of the periodic SOC 2 Type 2 report.

CSA Star

The CSA Security, Trust & Assurance Registry (CSA STAR) is one of the industry’s most powerful programs for security assurance in the cloud that encompasses key principles of transparency, rigorous auditing and harmonization of standard, helping customers and potential customers assess the security level of cloud offerings. View our CAIQ.


For security-related questions contact us at