Phone Number +1-202-802-9399 (US)

Thycotic Security Trust Center

Why you can be confident we’ve got you covered

Security is built into our bones

Thycotic’s privileged access management solutions are built with security as a foundation from the start, with strict adherence to industry best practices such as the NIST Cyber Security Framework. We make sure rigorous security testing is performed as an essential component of our ongoing software development processes along with continuous Quality Assurance checks.

Our cyber security defense measures include intrusion detection, Distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, machine learning, and a 24x7x365 state of the art Security Operations Center. We also monitor and protect against the most critical web application security risks, such as SQL injection, cross site scripting, OWASP Top 10 and Automated Top 20 threats. And our threat data is continuously updated to protect against the latest threats and zero-day attacks.

Encryption assured for data in-transit and at-rest

All customer data is fully isolated and encrypted both in-transit and at rest, using the AES-256 standard encryption algorithm and PBKDF2-HMAC-SHA256 hashing algorithm. Thycotic utilizes private encryption keys for each customer, with third-party key management support (AWS KMS). All secrets are systematically “salted” before being hashed and encrypted with their own unique Initialization Vector and Key.

All connections to cloud services are protected via Transport Layer Security (TLS). Distributed Engine communications are also secured with an additional encryption key unique to the tenant.

Thycotic Service Status

Reliability and transparency
you can trust

Transparency is a core value at Thycotic. You can always check the status of Thycotic solutions at

Certified compliance with global best practices

Thycotic solutions help our customers stay in compliance within a wide range of cyber security and data protection regulations, including those shown here as well as HIPAA, PCI, and industry-specific and regional requirements.

  • AICPA Logo

    SOC2 Type II

    SOC 2 Type II reports are the most comprehensive certification within the Systems and Organization Controls protocol, providing the most useful certification when considering a service provider’s credentials. Having achieved SOC 2 Type II certification, Thycotic has proven its system is designed to keep its clients’ sensitive data secure. For cloud and related IT services, SOC 2 performance and reliability is absolutely essential and increasingly required by regulators, examiners, and auditors. Thycotic undergoes regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant.

  • Common Criteria Logo

    Common Criteria (ISO/IEC 15408) Certified

    Thycotic’s flagship product, Secret Server, is Common Criteria Certified in the United States and Canada and meets requirements for government use of IT security products.

  • Privacy Shield Logo

    EU/US Privacy Shield

    Thycotic has been certified under the EU-U.S. Privacy Shield framework. Developed by the U.S. Department of Commerce and European Commission, this framework provides companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

  • NIST Logo


    Thycotic adheres to the NIST Cybersecurity Framework from the The National Institute of Standards and Technology (NIST). The Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) was developed in response to U.S. Executive Order 13636. Created through collaboration between government and the private sector, this framework uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Our alignment of security controls with the NIST Cybersecurity Framework’s Core is regularly tested as part of the periodic SOC 2 Type 2 report.

  • GDPR Logo


    Thycotic solutions comply with the European Union's General Data Protection Regulation (GDPR). It is focused on ensuring any nation state, organization, or company dealing with European citizens’ personal identifiable information are obliged to comply with this regulation.

  • ISO Logo

    ISO 27001:2013

    Thycotic has been certified for ISO 27001, a globally recognized standard mandating numerous controls for the establishment, maintenance, and certification of an information security management system (ISMS). The ISO standard ensures that we have established methodologies and a framework for business and IT processes to help identify, manage, and reduce risks to the security of information.

    View Certificate

  • CAS Star Logo

    CSA Star

    Thycotic is registered with the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (CSA STAR). CSA STAR is one of the industry’s most extensive programs for security assurance in the cloud. It encompasses key principles of transparency, rigorous auditing, and harmonization of standards, helping customers and potential customers to assess the security level of cloud offerings.

    View our CAIQ

  • CCPA Logo


    Thycotic supports our customer’s compliance needs for processing covered by the California Consumer Privacy Act of 2018 (the “CCPA”). To confirm applicable aspects of the CCPA in connection with Customer’s use of the Services, Thycotic provides this Compliance Statement.