Security
Built for trusted, controlled workflows
If you are evaluating Trope, this page covers the controls, review materials, and current security posture we can discuss today.
Security at a glance
Trope is built for teams running sensitive workflows in desktop apps and legacy systems. The basics are straightforward: capture is explicit, access is scoped, and review history is preserved.
What we support today
The controls most teams ask about first
We keep this page constrained to the controls and review material we can support today. That makes the first security conversation faster and more concrete.
Workspace SSO policy and capability-backed roles govern members, invites, reports, settings, and webhook administration.
Audit and compliance evidence is created as managed export jobs with lifecycle state, request IDs, and download controls.
Workspace admins can create workspace-wide or workflow-scoped legal holds that pause new report export creation.
Residency posture is deployment-specific, with region posture and supporting evidence shared during review.
Technical appendix
Claims-to-capability matrix
Open this if your security team wants the detailed mapping from enterprise claims to capability keys and enforcement surfaces.
Open the detailed matrix15 claim mappings for the product authorization surfaces that are claim-driven today.
View
15 claim mappings for the product authorization surfaces that are claim-driven today.
| Matrix label | Enterprise claim | Enforceable capability | Capability keys | Enforcement surface |
|---|---|---|---|---|
| Members directory visibility | Members read claims membership.capabilities.members.read | View workspace members | members.readorg.members.readworkspace.members.readcan_view_memberscan_manage_members | Members UI visibility and read-only membership APIs. |
| Membership administration | Members manage claims membership.capabilities.members.manage | Add/remove members and update member roles | members.manageorg.members.manageworkspace.members.managecan_manage_members | Member mutation controls and membership management APIs. |
| Owner transfer controls | Owner promotion claims membership.capabilities.members.promote_owner | Promote members to workspace owner | members.promote_ownermembers.promote-ownermembers.assign_ownermembers.assign-ownerorg.members.promote_ownerorg.members.promote-ownerorg.members.assign_ownerorg.members.assign-ownerworkspace.members.promote_ownerworkspace.members.promote-ownerworkspace.members.assign_ownerworkspace.members.assign-owner | Owner assignment controls and owner-promotion API checks. |
| Invite lifecycle controls | Invite claims membership.capabilities.invites.manage | Create and revoke workspace invites | invites.manageorg.invites.manageworkspace.invites.managecan_manage_invites | Invite entry points and invite mutation API routes. |
| Audit log access | Audit claims membership.capabilities.audit.read | View workspace audit events | audit.readorg.audit.readworkspace.audit.readaudit.listorg.audit.listworkspace.audit.list | Audit navigation and audit log read routes. |
| Reports and exports visibility | Reports read claims membership.capabilities.reports.read | View reports and export history | reports.readreport.readexports.readexport.readinsights.reports.readorg.reports.readorg.report.readorg.exports.readorg.export.readorg.insights.reports.readworkspace.reports.readworkspace.report.readworkspace.exports.readworkspace.export.readworkspace.insights.reports.readcan_export_reports | Reports navigation visibility and report bootstrap payloads. |
| Reports export operations | Reports manage claims membership.capabilities.reports.manage | Create and manage report exports | reports.managereport.manageexports.manageexport.manageexports.createexport.createinsights.reports.manageorg.reports.manageorg.report.manageorg.exports.manageorg.export.manageorg.exports.createorg.export.createorg.insights.reports.manageworkspace.reports.manageworkspace.report.manageworkspace.exports.manageworkspace.export.manageworkspace.exports.createworkspace.export.createworkspace.insights.reports.managecan_export_reports | Report export mutations and export lifecycle actions. |
| Workspace policy management | Settings claims membership.capabilities.settings.manage | Update workspace settings and policy controls | settings.manageorg.settings.manageworkspace.settings.managecan_manage_security_settings | Settings UI controls and settings mutation APIs. |
| Billing package controls | Billing claims membership.capabilities.billing.manage | Manage workspace billing package metadata | billing.manageorg.billing.manageworkspace.billing.managecan_manage_billing | Billing route visibility and billing package mutation APIs. |
| Retention policy controls | Retention claims membership.capabilities.retention.manage | Manage retention periods and digest defaults | retention.manageorg.retention.manageworkspace.retention.managecan_manage_retention | Retention controls and retention policy mutation APIs. |
| Legal hold governance | Legal hold claims membership.capabilities.legal_holds.manage | Create and update legal holds | legal_holds.managelegal-holds.managelegal.holds.manageorg.legal_holds.manageorg.legal-holds.manageorg.legal.holds.manageworkspace.legal_holds.manageworkspace.legal-holds.manageworkspace.legal.holds.managecan_manage_legal_holds | Legal hold controls and legal hold lifecycle APIs. |
| Network allowlist controls | IP allowlist claims membership.capabilities.ip_allowlist.manage | Manage workspace IP allowlist and enforcement mode | ip_allowlist.manageip-allowlist.manageip.allowlist.manageorg.ip_allowlist.manageorg.ip-allowlist.manageorg.ip.allowlist.manageworkspace.ip_allowlist.manageworkspace.ip-allowlist.manageworkspace.ip.allowlist.managecan_manage_ip_allowlist | IP allowlist settings controls and allowlist mutation APIs. |
| Workflow governance actions | Workflow claims membership.capabilities.workflows.manage | Manage workflow lifecycle and approvals | workflows.manageworkflow.manageworkflows.updateworkflow.updateworkflows.archiveworkflow.archiveworkflows.reviewworkflow.reviewworkflows.approveworkflow.approveworkflows.shareworkflow.shareworkflows.share.manageworkflow.share.manageorg.workflows.manageorg.workflow.manageorg.workflows.updateorg.workflow.updateorg.workflows.archiveorg.workflow.archiveorg.workflows.revieworg.workflow.revieworg.workflows.approveorg.workflow.approveorg.workflows.shareorg.workflow.shareorg.workflows.share.manageorg.workflow.share.manageworkspace.workflows.manageworkspace.workflow.manageworkspace.workflows.updateworkspace.workflow.updateworkspace.workflows.archiveworkspace.workflow.archiveworkspace.workflows.reviewworkspace.workflow.reviewworkspace.workflows.approveworkspace.workflow.approveworkspace.workflows.shareworkspace.workflow.shareworkspace.workflows.share.manageworkspace.workflow.share.managecan_manage_workflowscan_manage_members | Workflow edit/review actions and workflow mutation APIs. |
| Support token operations | Support token claims membership.capabilities.support_token.manage | Issue and revoke support session tokens | support_token.managesupport_tokens.manageorg.support_token.manageorg.support_tokens.manageworkspace.support_token.manageworkspace.support_tokens.managecan_manage_support_tokens | Support token admin controls and token mutation APIs. |
| Webhook delivery controls | Webhook claims membership.capabilities.webhooks.manage | Manage workspace webhooks and subscribed events | webhooks.manageorg.webhooks.manageworkspace.webhooks.manageintegrations.webhooks.manageorg.integrations.webhooks.manageworkspace.integrations.webhooks.managecan_manage_webhooks | Webhook settings controls and webhook lifecycle APIs. |
Security overview brief
Security overview for desktop guidance
A practical overview of how Trope keeps capture permissioned, workspaces isolated, and workflow runs auditable.
What Trope is (and why security matters)
Trope helps teams capture and run guided workflows inside the desktop apps they already use. Because workflows can include sensitive screens (customer records, finance tools, internal systems), we treat security and access control as product features, not an afterthought. This brief explains Trope's security approach at a high level: permissioned capture on the desktop, isolated workspaces in Trope Cloud, and strong accountability through run history and logs.
Permissioned capture
Desktop capture is gated by explicit user permissions. Trope is designed so capture is user-initiated and can be stopped at any time, and the desktop agent only sees what a user has authorized through OS-level permissions. In other words: Trope does not silently run in the background - capture starts when a user starts it.
Data minimization for sensitive workflows
Trope is designed to capture what you need to make a workflow usable - not to indiscriminately collect a user's desktop. Teams get the best security outcomes when they pair Trope's explicit capture model with clear internal guidelines: record only approved workflows, use test or masked data when possible, and pause or stop capture around secrets. This keeps workflow assets focused on UI steps and reduces the chance that highly sensitive information becomes part of a shared guide.
- Prefer test environments or test accounts for recordings when possible.
- Avoid recording secrets (passwords, MFA codes, API keys) whenever feasible.
Local-first handling of workflow artifacts
Workflow recordings are created on the user's machine first. That raw capture remains protected by your existing endpoint posture (device encryption, MDM/EDR policies, managed OS updates) before anything is uploaded. In practice, this lets teams define clear capture guidelines - what is appropriate to record, what to avoid, and which workflows should be handled by a smaller trusted group.
Cloud isolation
Trope Cloud stores workflow assets per workspace and scopes access through org membership, capability-backed roles, and invites. This workspace model is designed to keep collaboration simple for teams while reducing the risk of accidental cross-team or cross-customer access. Workspace admins manage membership, and sharing can be scoped to what the situation requires.
- Invite-based membership and admin-managed access.
- Capability-backed UI and API gates for members, reports, settings, and webhook controls.
- Optional sharing through scoped, time-bound workflow links.
Clear boundary between capture and cloud processing
Trope intentionally separates on-device capture from cloud processing. The desktop side is the privileged boundary for interacting with the operating system, while the cloud side focuses on storing workspace assets, generating guidance, and coordinating access. This split helps minimize what the cloud can see by default and makes it easier for security teams to reason about where sensitive data may exist. When automation actions are enabled, they run within an active session and under explicit user-granted capabilities on the endpoint - not as unattended background access.
Auditability
Each workflow run produces structured metadata that supports review, QA, and compliance needs. Teams can answer basic questions like who ran a workflow, when it was run, and whether it completed successfully without relying on informal screen recordings or memory. Over time, run history and feedback help keep high-impact workflows current.
Retention, deletion, and offboarding
Trope is built for business workflows, which means teams need predictable lifecycle controls. Workspace admins can set retention expectations, remove membership when employees change roles or leave, and place qualifying workspaces on legal hold so retention-sensitive data is not destroyed during investigations or regulatory review. Active legal holds pause new report export creation until the hold is released or expires. As part of a security review, we document the retention model, deletion flow, and where legal hold changes normal lifecycle behavior.
Encryption and data protection
Trope uses industry-standard encryption to protect data in transit and at rest. This applies to workflow artifacts, generated guides, and operational logs. We also follow least-privilege principles for internal access so routine operations do not require broad visibility into customer content. If your security program requires it, we can document our encryption posture and access workflows at a level suitable for vendor review without exposing sensitive implementation details.
Operational security and incident response
Security also depends on how a service is operated day to day. Trope maintains operational logging and monitoring so we can track service health, investigate issues, and respond quickly. When something goes wrong, we follow an incident response process to contain impact, restore service, and drive remediation. For security-sensitive customers, we can align on communication expectations, security points of contact, and escalation paths during review. We also treat operational hygiene (reviewed access, change control, and defense-in-depth) as part of the product lifecycle, not an afterthought.
Authentication and access governance
Trope is designed for controlled access at the workspace level. Authentication establishes identity, and authorization enforces what each user can do within a workspace. Workspace admins can require SSO for eligible deployments, password fallback is suppressed when a workspace is configured as SSO-only, capability claims are checked in both product navigation and backend routes, and production environments enforce stronger MFA expectations. On desktop, Trope relies on OS-provided secure storage to protect authentication material, and workspace admins can control invites and membership as teams change.
AI processing and third-party providers
Some Trope features rely on AI to turn captured artifacts into usable guidance. When we use third-party AI providers, we do so under agreements that restrict how customer data can be used, and we limit sharing to what is necessary to operate the service. We do not permit AI providers to use your data to train models for other customers, and for strict compliance needs we can discuss provider and region constraints.
Canadian data residency (for those who need it)
Some organizations require Canada-only data residency for storage and processing. For eligible customers, Trope can be provisioned into a Canada deployment with Canada-scoped workspaces pinned to Canadian endpoints and residency checks that fail closed when workspace metadata and deployment region do not agree. We define the scope clearly (storage, processing, and provider choices) so you can evaluate it against your policy, and we can provide deployment-specific plus org-scoped residency evidence during review. If your compliance program has specific interpretations (for example, around global CDNs or DNS), we will document the end-to-end behavior and available options so you can make an informed decision.
- Region-pinned storage and processing for Canada-resident workspaces.
- Residency guardrails and org-scoped evidence packs to prevent accidental cross-region handling.
SOC 2 readiness and security reviews
Trope is building toward SOC 2. We have completed a SOC 2 readiness assessment (January 22, 2026) based on code and documentation review, and we use it to prioritize hardening and evidence collection. A readiness assessment is not an auditor-issued SOC 2 report, but it gives security teams a concrete view of control coverage and what documentation is available today, including gaps and remediation plans. We can share the assessment under NDA and support standard security questionnaires and customer security reviews. When an auditor-issued SOC 2 report is available, we will provide it through the same process.
What we can share during review
Most security reviews go faster when you have concrete artifacts. Trope can provide a security review package tailored to your deployment, including a high-level data flow overview, an AI data-handling overview for applicable features, org-scoped residency evidence where relevant, and the current report export, retention, and legal-hold operating model. If you have a standard vendor questionnaire, we are happy to complete it and walk through your threat model with your security team.
- High-level architecture and data flow overview.
- SOC 2 readiness assessment (January 22, 2026) under NDA.
- Subprocessor list plus Canadian data residency evidence pack and boundary description (if applicable).
- Current report export, retention, and legal-hold posture for the target deployment.
Practical guidance for a safe launch
Trope is most effective when security expectations are explicit from day one. Start with a small first workspace, define capture do's and don'ts, and assign workflow ownership so guides stay current. Trope's permissioned capture, workspace access controls, and auditability are designed to fit into standard enterprise deployment practices, from a small first launch to broader operations usage. When collaborating outside the core team, use scoped, time-bound sharing.
- Start with a limited set of workflows and a small trusted group.
- Document capture guidelines (for example, avoid recording secrets or MFA codes).
- Assign workflow owners and a review cadence for critical processes.