Security & Privacy
How Escher handles your data, your credentials, and your cloud access.
The short version
- Escher is a desktop app. It runs on your machine.
- Your cloud credentials never leave your device. Escher uses your existing CLI credentials in place. They are not copied, transmitted, or stored anywhere except where you put them (the macOS Keychain, by default).
- Read-only by default. Escher cannot modify your cloud resources unless you explicitly approve a specific action.
- Your data stays in your tenant. Estate data Escher reads is stored locally and (on team plans) in your team's tenant database. It is not shared across customers.
- SOC 2 Type II in progress. Tessell, the company behind Escher, is in active SOC 2 Type II audit.
What Escher reads
When you connect a cloud account, Escher reads metadata: resource configurations, IAM, billing, events, logs, and changes. It uses this to build a map of your estate.
It does not read:
- Customer data inside your databases
- Object content in your S3 / blob / GCS buckets
- Application logs beyond what's needed to correlate events
- Source code (except commit metadata when GitHub is connected)
For everything Escher does read, the cloud's own audit log (CloudTrail, Activity Log, Cloud Audit Logs) shows you exactly what API calls Escher made.
Where your data lives
| Plan | Estate data location |
|---|---|
| Solo (single user) | On your laptop only |
| Team | On each user's laptop + a shared team tenant database |
| Enterprise | On each user's laptop + a customer-isolated tenant database (optionally self-hosted) |
For team and enterprise tenants, the database is hosted in a region of your choice. Region availability is decided per agreement — check with your Tessell contact for current options.
Encryption
- In transit: TLS for every API call (cloud reads, Tessell-hosted services, integrations)
- At rest (laptop): macOS Keychain for credentials; the local estate cache is encrypted at rest
- At rest (tenant): standard cloud-provider encryption with customer-managed key options available on enterprise agreements
Cloud credentials
Escher consumes your existing cloud CLI credentials (~/.aws/credentials, az login state, gcloud config). It does not:
- Store a copy of your credentials anywhere it manages
- Transmit your credentials to any Tessell-hosted service
- Refresh or rotate your credentials on your behalf
When the credentials Escher uses expire (e.g. AWS SSO token), you re-authenticate with your CLI as you normally would. Escher picks up the refreshed credentials automatically.
Audit and compliance
For Tessell's current SOC 2, ISO 27001, GDPR, and HIPAA posture — and for the trust report that includes regional residency options and data-handling controls — contact security@tessell.com.
INFO
Specific certification status, audit dates, and regional availability change. The most current information is in the trust report rather than this docs site.
Data retention
Estate snapshots, conversation history, and audit logs are retained for the period specified in your agreement with Tessell. Defaults are configurable per tenant.
Deletion is honoured on request. The exact retention windows for your tenant are listed in your contract or available from security@tessell.com.