TRUSTED BY HUNDREDS OF TEAMS
Safe and secure builds allow
you to focus on innovation.
Companies deploy faster with Tenki
Compliance
Tenki is aligned with SOC 2 Type II
and ISO 27001 security practices.
SOC 2 Type II via Luxor Technology
Tenki operates under the SOC 2 Type II program of its parent company, Luxor Technology. Reports available under NDA on request at [email protected].
SOC 2 Attested Data Center
All Tenki compute runs in SOC 2-attested data-center facilities with physical access controls, environmental monitoring, and audit logging.
ISO 27001 Certified Data Center
All Tenki compute runs in ISO 27001-certified data-center facilities covering information-security management controls.
Ephemeral VM Isolation
Ensures isolation, strong security and clean execution environments.
99% SLA
Uptime SLA, contractually guaranteed and backed by credits.
Security Program
How we secure your builds,
end-to-end.
A SOC 2-aligned program covering audit attestation, a published threat model, and modern encryption for data at rest and in transit.
SOC 2 Type II. Tenki operates under the SOC 2 Type II program of its parent company, Luxor Technology, audited by an independent licensed CPA firm against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Reports are refreshed annually and made available to qualified prospects and customers under a mutual NDA. To request the latest report, email [email protected] from a corporate domain and we will respond within two business days with the NDA and report bundle.
Threat model. Our threat model centers on protecting customer source code, build artifacts, and CI secrets from unauthorized access during workflow execution. Every job is provisioned to a single-tenant ephemeral virtual machine with a fresh kernel, fresh disk, and isolated network namespace, so jobs cannot inspect or interfere with other jobs. The runner is destroyed at the end of every workflow and job-time secrets never leave the VM boundary. We continuously evaluate risks across our supply chain, hypervisor, control plane, and customer integrations, and harden controls as the threat landscape evolves.
Encryption in transit. All traffic between your GitHub organization, the Tenki control plane, and our runners is encrypted using TLS 1.2 or higher with modern cipher suites and forward secrecy. Public endpoints enforce HSTS and reject downgraded connections, and internal service-to-service calls run over mutually authenticated TLS inside a private network.
Encryption at rest.Customer data is encrypted at rest with AES-256 across object storage, databases, backups, and ephemeral runner volumes. Encryption keys are managed by our cloud provider's hardware-backed key management service, rotated on a defined schedule, and access is restricted to a least-privileged subset of production engineers under audit logging. Customer-supplied secrets injected into workflows are encrypted at rest, decrypted only inside the runner VM at job start, and zeroized when the VM terminates.
Operations & Disclosure
Incident response, testing,
and responsible disclosure.
Documented operational practices for detecting, containing, and communicating security events — and a clear path for researchers to report them.
Incident response. Tenki maintains a documented incident-response plan with defined severity tiers, escalation paths, and a 24/7 on-call engineering rotation that triages and contains security events as they occur. Every incident is followed by a post-incident review that captures root cause, customer impact, and remediation actions, and the plan is exercised on a recurring basis to validate detection and response timing.
Notification SLA. If a confirmed security incident materially affects your data or workflows, Tenki will notify impacted customers within 72 hours of confirmation through the security and billing contact emails on file. Initial notifications include what we know, what we do not yet know, and the immediate steps we are taking. A written post-mortem with remediation status follows once the investigation has closed.
Penetration testing. We engage independent security firms to perform third-party penetration tests of our application surface and underlying infrastructure on at least an annual cadence, supplemented by continuous internal vulnerability scanning, dependency review, and peer code review on every change. Findings are tracked to closure under defined service levels — critical and high-severity issues are remediated as a priority before the engagement is closed and a clean retest is issued. A summary letter from our most recent test is available to enterprise customers under NDA on request.
Vulnerability disclosure. We welcome reports from the security community. If you believe you have discovered a vulnerability in Tenki, email [email protected] with reproduction steps and any supporting artifacts. We acknowledge valid reports within two business days, share remediation timelines for confirmed issues, and credit researchers at their request once a fix has shipped. Please do not publicly disclose unfixed issues, perform testing that disrupts other customers, or attempt to access data that does not belong to you.
Connection Security
Secure GitHub integration.
Single Sign-On (SSO) integration with GitHub enables you to access accounts effortlessly while safeguarding personal information through GitHub's strong authentication.
Permission
Reason
Read access to members and metadata.
To retrieve and list information from your workflows and runs.
Read and write access to actions, code, pull requests, and workflows.
For the migration wizard to generate a pull request with the necessary code changes.
Read and write access to administration.
To be able to support Private Organizations repositories.
Permission
Read access to members and metadata.
Read and write access to actions, code, pull requests, and workflows.
Read and write access to administration.
Reason
To retrieve and list information from your workflows and runs.
For the migration wizard to generate a pull request with the necessary code changes.
To be able to support Private Organizations repositories.
Testimonials
