TelosBook demo

Security

Last Updated: May 6, 2026

Telos serves as the operating system for our Customers' most sensitive operational data — banking, financial, payroll, and contractual information. We treat the security of that data as a foundational obligation, not a checkbox.

This page describes our security program, the practices we have in place today, the commitments we are building toward, and how the security research community can responsibly disclose issues to us.

Security Program

Telos's security program is owned at the executive level. We design our systems, processes, and people to defend customer data through layered controls.

Today

  • Encryption. Customer Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 (or equivalent) on managed cloud infrastructure.
  • Tenant isolation. Customer Data is logically separated by tenant. Access controls are enforced at the application and database layer.
  • Authentication and access. Telos enforces multi-factor authentication for employee access to production systems and customer-facing administrative tools. Production access is granted on a least-privilege basis and reviewed regularly.
  • Secrets management. Credentials, tokens, and keys are stored in dedicated secret-management services and are not committed to source-code repositories.
  • Logging and monitoring. Production systems generate audit and access logs that are retained for security review and incident response.
  • Vendor security. We assess the security posture of subprocessors and vendors that handle Customer Data before onboarding them, and review key vendors on an ongoing basis.
  • Secure development. Code changes are peer-reviewed, dependencies are scanned for known vulnerabilities, and we use automated testing and static analysis in our continuous-integration pipeline.
  • Endpoint security. Employee endpoints are managed, encrypted, and protected by industry-standard endpoint security tools.
  • Incident response. Telos maintains an incident-response process for triage, containment, investigation, customer notification, and post-incident review.

What we are building toward

Telos is committed to investing in our security program as we scale, including:

  • SOC 2 Type II. We are working toward SOC 2 Type II attestation. We will publish updates as we progress.
  • Independent penetration testing by qualified third parties on at least an annual basis.
  • Formal security policies covering acceptable use, access management, change management, vulnerability management, vendor management, and incident response.
  • Continuous compliance and monitoring tooling to evidence the operating effectiveness of our controls.
  • Bug bounty program to reward independent researchers (see "Rewards" below).

We will update this page as these milestones are achieved. We deliberately avoid claiming compliance certifications or security capabilities we have not yet earned.

Customer Responsibilities

Security is a shared responsibility. Customers help protect their data by:

  • enabling multi-factor authentication for all Authorized Users,
  • promptly deactivating access for personnel who no longer need it,
  • choosing strong, unique credentials,
  • carefully scoping the permissions granted to AI Agents and reviewing AI Agent activity,
  • only authorizing Connected Accounts that the Customer has the right to authorize, and
  • promptly reporting any suspected unauthorized access to Telos.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any Telos product, service, or property, we want to hear from you.

Email: security@gettelos.com

For sensitive reports, request our PGP public key by emailing security@gettelos.com, or use a secure channel we agree on.

In your report, please include:

  • a clear description of the issue and its potential impact,
  • steps to reproduce, including proof-of-concept, screenshots, payloads, or affected URLs,
  • any relevant logs or request/response captures, and
  • the name or handle you would like used if you would like public credit.

Scope

In scope:

  • gettelos.com — marketing and informational site
  • app.gettelos.com — Telos web application
  • api.gettelos.com — Telos public API
  • Telos mobile applications, where applicable

Out of scope:

  • Third-party services we integrate with (please report to those providers directly)
  • Social-engineering attempts targeting Telos personnel, contractors, customers, or vendors
  • Physical attacks against Telos offices, infrastructure, or personnel
  • Denial-of-service, resource-exhaustion, or volumetric load testing
  • Findings derived solely from automated scanners without demonstrated exploitability
  • Vulnerabilities in unsupported or end-of-life browsers, libraries, or operating systems
  • Missing security headers or "best-practice" recommendations without a concrete, demonstrable exploit
  • Clickjacking on pages that lack any sensitive action
  • Self-XSS or attacks requiring physical access to a victim's device
  • Issues that require an attacker to already have administrative or privileged access
  • Recently disclosed (under 30 days) public vulnerabilities in third-party software we deploy

If you are unsure whether a particular test is in scope, email security@gettelos.com before testing.

Safe Harbor

Telos will not pursue civil legal action against, or initiate or support law-enforcement investigation of, security researchers who in good faith comply with this policy. To qualify for safe harbor, you must:

  • make a good-faith effort to avoid privacy violations, data destruction, and service disruption,
  • only access accounts you own or for which you have explicit permission from the account holder,
  • not exfiltrate, retain, or share Customer Data beyond the minimum necessary to demonstrate the issue, and securely delete any such data after the report is acknowledged,
  • not exploit the vulnerability beyond what is required to demonstrate it,
  • give Telos a reasonable opportunity to investigate and remediate before any public disclosure, and
  • comply with all applicable laws.

If a third party initiates legal action against you for activities that complied with this policy, we will make this authorization known.

This policy does not authorize action by Telos employees, contractors, or vendors against Telos. Anyone who has authorized access to Telos systems must follow internal policy, not this disclosure policy.

Our Commitments

When you submit a report in accordance with this policy, we will:

  • Acknowledge receipt within five (5) business days;
  • Triage the report and provide an initial severity assessment and expected remediation timeline as soon as reasonably practicable;
  • Keep you updated on remediation progress;
  • Credit you publicly, with your consent, once the issue is resolved.

Coordinated Disclosure

We ask that you provide Telos at least ninety (90) days from the date of your report to remediate before any public disclosure. For high-severity issues, we will work with you on a coordinated disclosure timeline that may be shorter or longer based on the facts. Please do not disclose the issue publicly — including to other researchers, media, or social platforms — until we have had a reasonable opportunity to respond.

Rewards

Telos does not currently offer monetary rewards for vulnerability reports. We deeply appreciate the security research community and will provide public acknowledgment with your consent. We expect to launch a paid bounty program in the future and will update this page when we do.

Subprocessors

Telos relies on a vetted set of subprocessors to deliver the Services. A current list of our subprocessors is available on request to security@gettelos.com. Customers who have signed a Data Processing Addendum will be notified of new subprocessors as required by that DPA.

Questions

If anything in this policy is unclear, email security@gettelos.com and we will get back to you.