roles · teams
Access you can explain
Vault and workspace roles show who can edit, run, and read without inventing a separate security product.
loading
Security
Each workflow step runs in its own container on a machine slot. Managed fleets supply short-lived compute; self-hosted fleets run on machines you enroll. Declared outputs and run records stay available after the containers are gone.
Managed or self-hosted fleets supply machine slots. Each step gets its own container. When the step finishes, the container goes; the records you kept stay.
Managed fleets supply short-lived machines for the run. Self-hosted fleets reserve machines you already enrolled.
Every workflow step gets a fresh container with its own inputs, limits, and outputs. Jobs do not share a slot while they run.
Containers cannot reach cloud instance metadata or Trickest’s private 10/8 network. Managed fleets can use static outbound IPs for your allowlists.
When a step finishes, its container is removed. Declared outputs, logs, and run records stay available under your retention settings.
Workflows, run records, outputs, and secrets stay scoped to your vault. Transfers use HTTPS. Ask us for environment-specific encryption and retention details.
scoped to your vault
Workflow definitions, run metadata, declared outputs, and structured Live Table data stay in your vault. Access follows vault and workspace roles.
Files and structured findings land in vault-scoped storage and transfer over HTTPS with time-limited signed URLs.
vault-scoped
Graphs and versions live with the workspace that owns them, so teams edit and run under the same access model.
versioned graphs
Store secrets encrypted and reference them by name. Values are not returned by the settings API after you enter them. Update or delete a secret without rewriting every workflow.
personal or workspace scope
People and automation authenticate under vault and workspace roles. Tokens act as the user. Enterprise audit logs cover supported platform activity.
Connect enterprise users through SAML 2.0. Individual users can add TOTP multi-factor authentication to password sign-in.
Assign vault and workspace roles to people or teams. Separate who administers, edits, runs, and only reads.
CLI, SDK, and API calls authenticate as the user. Regenerating a token invalidates the previous one.
Search, filter, and export records of supported authenticated platform activity when the audit feature is enabled.
Use run history, roles, and audit exports in customer security reviews. Contact us for current assurance documentation and scope.
roles · teams
Vault and workspace roles show who can edit, run, and read without inventing a separate security product.
run history
Execution records, outputs, and logs stay available so a review can follow what ran, when, and with which graph version.
reviews · export
Use platform records in customer security reviews. Ask us for current assurance documentation and scope.
Execution is where steps run. Workflows and agents submit work into that model.
Get a personalized demo
A 30-minute walkthrough. We map the platform to your stack and answer pricing and deployment questions for your environment.