Security and SSO
Updated 18 May 2026
The short version: authentication via Clerk (industry-standard JWT), TLS everywhere, encrypted at rest, SSO available for enterprise plans.
Authentication
Sign-in is via Clerk. Supported methods:
- Email + password (with strong-password rules)
- Magic link (passwordless)
- Google OAuth
- Microsoft / Office 365 OAuth
- SAML SSO — for enterprise plans, see below
Sessions use short-lived JWTs that refresh automatically. Sign-out revokes both the access token and the refresh token. We never store passwords ourselves — Clerk handles that.
Two-factor (2FA)
Every user can turn on 2FA from their profile. Methods: TOTP (Google Authenticator, 1Password, etc.) and SMS. Workspace admins can require 2FA for all members from Settings → Security.
SSO (enterprise)
Connect your identity provider (Okta, Azure AD, Google Workspace) via SAML 2.0. Once connected:
- New employees in your IdP get a Tyto seat automatically
- Removing someone in your IdP signs them out of Tyto immediately
- We never see your password; just the SAML assertion
Talk to us about enabling SSO — it's available on the Enterprise plan and we'll help with the IdP config.
Data at rest
- Postgres databases encrypted at rest (AWS RDS managed encryption)
- File uploads in encrypted S3 buckets
- Backups encrypted, retained for 30 days
Data in transit
TLS 1.3 everywhere — the web app, the mobile app, the API, the webhooks we send. HSTS enabled on all our domains.
Audit log
Workspace admins can view a log of significant changes (invites, role changes, project archivals, integration changes) under Settings → Security → Audit log. Retained for 12 months. Available as CSV export.
Billing — plans, payment, cancellation.