Security at ET Ducky
Last Updated: May 29, 2026
Overview
Our posture, in plain language
ET Ducky runs as a privileged service on customer endpoints (Windows Service under LocalSystem, Linux systemd unit under a hardened etducky user) and can apply network isolation, push configuration changes, and run remote sessions. That level of access deserves transparency about how we operate.
This page documents our current security posture, sub-processors, and how to report vulnerabilities. For the full technical detail, see our security whitepaper.
Key principles
- On-endpoint correlation. Raw kernel events stay on the host. Only sanitized, PII-filtered summaries leave the machine.
- Tenant isolation. Row-level security plus Clerk-managed identities provide complete separation between customer organizations.
- No global admin view. ET Ducky staff have no in-product path to view a customer's data while logged in.
- Operator-driven elevation. Linux
sudoescalation requires explicit operator authorization with full audit trail; the agent never silently escalates. - Customer-controlled retention. Default 14-day retention with paid tiers up to 730 days; purges are automatic and permanent.
Certifications & Framework Alignment
Current status
We want to state this clearly: ET Ducky is not yet SOC 2 audited. Our security whitepaper documents how our controls map to the SOC 2 Trust Services Criteria, ISO 27001 Annex A, NIST CSF, and GDPR Article 32 — but mapping is not certification, and we won't claim what we don't hold.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type 1/2 | Not audited | Controls mapped in whitepaper; examination not yet scheduled |
| ISO 27001 | Not certified | Annex A control mapping documented in whitepaper |
| NIST CSF | Aligned (self-attested) | Control mapping in whitepaper Compliance Matrix |
| GDPR | Article 32 controls in place | See Privacy Policy for data subject rights |
| HIPAA | Technical safeguards alignment | Self-hosted deployment recommended for PHI; BAA not currently offered |
If you have a procurement requirement that depends on a SOC 2 attestation or signed BAA, contact us — we'd rather have an honest conversation about timelines than oversell what we have today.
Sub-processor certifications we inherit
Some of the controls in our environment are provided by third-party sub-processors that hold their own attestations.
- Identity & SSO: Clerk is SOC 2 Type II certified.
- Infrastructure: DigitalOcean holds SOC 2 Type II, SOC 3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS attestations.
- Edge / WAF: Cloudflare holds SOC 2 Type II, ISO 27001, and PCI DSS attestations.
- Billing: Stripe is PCI DSS Level 1 certified.
- AI processing: Anthropic holds SOC 2 Type II.
Inherited controls reduce our scope but do not replace our own attestation.
Sub-Processors
Current list
The following third parties process customer data on ET Ducky's behalf as part of the cloud-hosted service. Self-hosted deployments do not transit data through any of these (except Anthropic when self-hosted customers configure Anthropic as their AI provider).
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Clerk | Authentication, sessions, MFA, SSO, organization membership | US |
| DigitalOcean | Application hosting, managed PostgreSQL database, load balancing | US (us-east region) |
| Cloudflare | DNS, CDN, DDoS protection, WAF, edge TLS termination | Global edge |
| Stripe | Subscription billing, payment processing | US |
| Anthropic | AI analysis of sanitized telemetry summaries (cloud-hosted only) | US |
We will update this list when sub-processors change. If you require notification before sub-processor changes for contractual reasons, contact [email protected].
Responsible Disclosure Policy
Scope
We welcome reports about vulnerabilities in:
- The
etducky.comdomain and all subdomains - The ET Ducky agent (Windows Service and Linux systemd unit)
- The ET Ducky desktop application
- The cloud API and dashboard
Out of scope
- Reports against our sub-processors (please report directly to Clerk, DigitalOcean, Cloudflare, Stripe, or Anthropic per their own disclosure policies)
- Social engineering of ET Ducky staff or customers
- Physical attacks against our infrastructure or offices
- Denial-of-service testing — please don't attempt this against production
- Reports about missing security headers without a demonstrated exploit
- Reports about rate limits that don't lead to a demonstrable security impact
How to report
Email [email protected] with:
- A description of the vulnerability and where it lives
- Steps to reproduce (or a proof-of-concept)
- The impact you believe it has
- Your preferred name and contact details for follow-up
PGP encryption is available on request — ask for our public key.
What you can expect from us
- Acknowledgement within 3 business days
- Triage and initial assessment within 10 business days
- Status updates every 14 days until resolution
- Public credit in our security advisories if you'd like it (or anonymous if you prefer)
- No legal action against good-faith research that follows this policy
Safe harbor
If you make a good-faith effort to comply with this policy during your security research, we will not pursue or support legal action against you. We consider research conducted under this policy to be authorized under the Computer Fraud and Abuse Act and similar statutes, and exempt from our Terms of Service to the extent necessary to perform the research.
Incident Response
If something goes wrong
If we detect or are notified of a security incident that affects customer data, here is what happens:
- Triage & containment — we identify scope and stop further exposure. The agent's network-isolation mechanism is available as a containment tool against compromised endpoints in customer environments.
- Customer notification — if customer data is affected, we notify the affected organization's admin contacts directly. Our target is notification within 72 hours of confirmation, in line with GDPR Article 33 expectations.
- Investigation & root cause — we publish a post-incident summary including timeline, scope, and remediation. Public-facing incidents are mirrored on status.etducky.com.
- Remediation & follow-up — we share what we changed to prevent recurrence.
We have not had a security incident requiring customer notification to date. We will document any future incidents here.
Security Contact
How to reach us
- Vulnerability reports: [email protected]
- General security questions: [email protected]
- Procurement / compliance: [email protected] (ask for our security questionnaire response or current whitepaper)
- Machine-readable: see /.well-known/security.txt (RFC 9116)
More detail
Read the security whitepaper for the full architecture, encryption, isolation, and control-mapping documentation. See the Security documentation for product-level details on behavioral monitoring, isolation actions, and operator elevation.