Security
Built for trusted, controlled workflows
If you are evaluating Trope, this page covers the controls, review materials, and current security posture we can discuss today.
Security at a glance
Trope is built for teams running sensitive workflows in desktop apps and legacy systems. The basics are straightforward: capture is explicit, access is scoped, and review history is preserved.
Permissioned capture
Capture starts when a user starts it and can be stopped at any time.
Workspace isolation
Workflow data and guides live in a workspace and access is controlled through membership and invites.
Auditability
Runs, report exports, and admin actions preserve history that supports QA, coaching, and compliance reviews.
Data minimization
Teams can set capture guidelines, use scoped sharing, and keep highly sensitive moments out of shared workflows.
Available now
What your security team can review today
Today that includes a SOC 2 readiness assessment dated January 22, 2026, deployment-specific residency posture, subprocessors, and questionnaire support. It does not imply an auditor-issued SOC 2 report.
Read the security overview brief.
Review our subprocessors.
We can share a security review package under NDA, including our readiness assessment, architecture overview, deployment-specific residency evidence, and current retention and legal-hold posture.
What we support today
The controls most teams ask about first
We keep this page constrained to the controls and review material we can support today. That makes the first security conversation faster and more concrete.
Identity and access
Workspace SSO policy and capability-backed roles govern members, invites, reports, settings, and webhook administration.
Reports and audit exports
Audit and compliance evidence is created as managed export jobs with lifecycle state, request IDs, and download controls.
Legal holds and retention
Workspace admins can create workspace-wide or workflow-scoped legal holds that pause new report export creation.
Residency and review support
Residency posture is deployment-specific, with region posture and supporting evidence shared during review.
Technical appendix
Claims-to-capability matrix
Open this if your security team wants the detailed mapping from enterprise claims to capability keys and enforcement surfaces.
Open the detailed matrix15 claim mappings for the product authorization surfaces that are claim-driven today.
View
Open the detailed matrix
15 claim mappings for the product authorization surfaces that are claim-driven today.
| Matrix label | Enterprise claim | Enforceable capability | Capability keys | Enforcement surface |
|---|---|---|---|---|
| Members directory visibility | Members read claims membership.capabilities.members.read | View workspace members | members.readorg.members.readworkspace.members.readcan_view_memberscan_manage_members | Members UI visibility and read-only membership APIs. |
| Membership administration | Members manage claims membership.capabilities.members.manage | Add/remove members and update member roles | members.manageorg.members.manageworkspace.members.managecan_manage_members | Member mutation controls and membership management APIs. |
| Owner transfer controls | Owner promotion claims membership.capabilities.members.promote_owner | Promote members to workspace owner | members.promote_ownermembers.promote-ownermembers.assign_ownermembers.assign-ownerorg.members.promote_ownerorg.members.promote-ownerorg.members.assign_ownerorg.members.assign-ownerworkspace.members.promote_ownerworkspace.members.promote-ownerworkspace.members.assign_ownerworkspace.members.assign-owner | Owner assignment controls and owner-promotion API checks. |
| Invite lifecycle controls | Invite claims membership.capabilities.invites.manage | Create and revoke workspace invites | invites.manageorg.invites.manageworkspace.invites.managecan_manage_invites | Invite entry points and invite mutation API routes. |
| Audit log access | Audit claims membership.capabilities.audit.read | View workspace audit events | audit.readorg.audit.readworkspace.audit.readaudit.listorg.audit.listworkspace.audit.list | Audit navigation and audit log read routes. |
| Reports and exports visibility | Reports read claims membership.capabilities.reports.read | View reports and export history | reports.readreport.readexports.readexport.readinsights.reports.readorg.reports.readorg.report.readorg.exports.readorg.export.readorg.insights.reports.readworkspace.reports.readworkspace.report.readworkspace.exports.readworkspace.export.readworkspace.insights.reports.readcan_export_reports | Reports navigation visibility and report bootstrap payloads. |
| Reports export operations | Reports manage claims membership.capabilities.reports.manage | Create and manage report exports | reports.managereport.manageexports.manageexport.manageexports.createexport.createinsights.reports.manageorg.reports.manageorg.report.manageorg.exports.manageorg.export.manageorg.exports.createorg.export.createorg.insights.reports.manageworkspace.reports.manageworkspace.report.manageworkspace.exports.manageworkspace.export.manageworkspace.exports.createworkspace.export.createworkspace.insights.reports.managecan_export_reports | Report export mutations and export lifecycle actions. |
| Workspace policy management | Settings claims membership.capabilities.settings.manage | Update workspace settings and policy controls | settings.manageorg.settings.manageworkspace.settings.managecan_manage_security_settings | Settings UI controls and settings mutation APIs. |
| Billing package controls | Billing claims membership.capabilities.billing.manage | Manage workspace billing package metadata | billing.manageorg.billing.manageworkspace.billing.managecan_manage_billing | Billing route visibility and billing package mutation APIs. |
| Retention policy controls | Retention claims membership.capabilities.retention.manage | Manage retention periods and digest defaults | retention.manageorg.retention.manageworkspace.retention.managecan_manage_retention | Retention controls and retention policy mutation APIs. |
| Legal hold governance | Legal hold claims membership.capabilities.legal_holds.manage | Create and update legal holds | legal_holds.managelegal-holds.managelegal.holds.manageorg.legal_holds.manageorg.legal-holds.manageorg.legal.holds.manageworkspace.legal_holds.manageworkspace.legal-holds.manageworkspace.legal.holds.managecan_manage_legal_holds | Legal hold controls and legal hold lifecycle APIs. |
| Network allowlist controls | IP allowlist claims membership.capabilities.ip_allowlist.manage | Manage workspace IP allowlist and enforcement mode | ip_allowlist.manageip-allowlist.manageip.allowlist.manageorg.ip_allowlist.manageorg.ip-allowlist.manageorg.ip.allowlist.manageworkspace.ip_allowlist.manageworkspace.ip-allowlist.manageworkspace.ip.allowlist.managecan_manage_ip_allowlist | IP allowlist settings controls and allowlist mutation APIs. |
| Workflow governance actions | Workflow claims membership.capabilities.workflows.manage | Manage workflow lifecycle and approvals | workflows.manageworkflow.manageworkflows.updateworkflow.updateworkflows.archiveworkflow.archiveworkflows.reviewworkflow.reviewworkflows.approveworkflow.approveworkflows.shareworkflow.shareworkflows.share.manageworkflow.share.manageorg.workflows.manageorg.workflow.manageorg.workflows.updateorg.workflow.updateorg.workflows.archiveorg.workflow.archiveorg.workflows.revieworg.workflow.revieworg.workflows.approveorg.workflow.approveorg.workflows.shareorg.workflow.shareorg.workflows.share.manageorg.workflow.share.manageworkspace.workflows.manageworkspace.workflow.manageworkspace.workflows.updateworkspace.workflow.updateworkspace.workflows.archiveworkspace.workflow.archiveworkspace.workflows.reviewworkspace.workflow.reviewworkspace.workflows.approveworkspace.workflow.approveworkspace.workflows.shareworkspace.workflow.shareworkspace.workflows.share.manageworkspace.workflow.share.managecan_manage_workflowscan_manage_members | Workflow edit/review actions and workflow mutation APIs. |
| Support token operations | Support token claims membership.capabilities.support_token.manage | Issue and revoke support session tokens | support_token.managesupport_tokens.manageorg.support_token.manageorg.support_tokens.manageworkspace.support_token.manageworkspace.support_tokens.managecan_manage_support_tokens | Support token admin controls and token mutation APIs. |
| Webhook delivery controls | Webhook claims membership.capabilities.webhooks.manage | Manage workspace webhooks and subscribed events | webhooks.manageorg.webhooks.manageworkspace.webhooks.manageintegrations.webhooks.manageorg.integrations.webhooks.manageworkspace.integrations.webhooks.managecan_manage_webhooks | Webhook settings controls and webhook lifecycle APIs. |