Trekport
Security

Your data stays in your network.

Trekport runs locally. Air-gapped deployment is the default, not a checkbox. Every connection, every artifact, and every decision is accounted for.

Air-gapped by default.

Trekport connects to your source Oracle and your target PostgreSQL. Nothing else. The engine ships as a desktop application, a command-line interface, and a self-hosted web console. There is no managed cloud component, no telemetry channel, and no out-of-band connection back to Trekport.

  • Source and target connections are the only network egress paths.
  • No phone-home update channel. Updates ship through the OS package manager or signed binaries.
  • No usage telemetry by default. Optional crash reporting is opt-in and disabled in air-gapped deployments.

Encryption in transit.

All database connections use TLS. Cipher suites are configurable per environment, with sane defaults that match the major cloud providers. Certificate pinning is supported for both source and target connections.

Encryption at rest.

Conversion artifacts written to local disk are encrypted with platform-native key stores. Keychain on macOS, DPAPI on Windows, libsecret and gnome-keyring on Linux. Database credentials never land on disk in plaintext.

Compliance readiness.

Trekport is engineered to meet enterprise data-protection requirements out of the box.

  • GDPR. No personal data leaves the customer environment.
  • CCPA. No data sale, no third-party processors with access to customer data.
  • ISO 27001. Information security management practices aligned to the standard.
  • SOC 2 Type II. Audit in progress.

Vulnerability handling.

Coordinated disclosure at security@trekport.sh. Trekport acknowledges reports within 48 hours, triages within 5 business days, and operates on a 90-day public-disclosure clock by default. Researchers acting in good faith are protected.

Audit logging.

Every conversion decision and every deployment action lands in an audit log with rule reference, timestamp, actor, and before-and-after artifact references. Logs are exportable as JSON or CSV. Optional shipping to a SIEM via syslog or HTTPS webhook.

Identity and access.

Role-based access ships built-in. Separate roles for read-only auditors, conversion operators, and deployment owners. Each role is scoped to specific phases of the pipeline. Optional approval queue before each phase commits.

Talk to engineering about your posture.

Security questionnaires, deployment-architecture reviews, and compliance-evidence requests are handled directly by the Trekport engineering team. Reserve priority access to start that conversation.

Reserve priority accessTalk to engineering