Home / Security
Essential for IT decision-makers

End-to-end security architecture from chip to cloud

Hardware encryption, zero-knowledge cloud design, IAM controls, and deployment on AWS's certified cloud infrastructure help Penstar support auditable security workflows for regulated industries.

Request Security BriefContact Security Team
Security Layers

Four layers of defense in depth

SEC

Hardware Security Layer

Secure boot, AES-256 storage encryption, physical tamper resistance, and remote lock/wipe. Illustrated with chip architecture diagrams showing TrustZone isolation.

  • Secure BootFirmware signature verification with tamper-resistant boot chain
  • TPM 2.0Keys stored in an isolated secure element
SEC

Cloud Data Security

TLS 1.3 transport encryption, zero-knowledge architecture, and selectable data residency (US / EU / Mainland China).

  • Zero-KnowledgeServer cannot decrypt user note content
  • Data ResidencyData stays in-region to meet sovereignty requirements
SEC

Compliance Certifications

Penstar deployments run on AWS's ISO 27001 and SOC 2 Type II certified cloud infrastructure. Additional Penstar certifications and compliance modules should be confirmed with the enterprise team.

SEC

Identity & Access Management

SSO (SAML/OIDC), RBAC role-based access, MFA multi-factor authentication, and full activity audit log retention for 7 years.

Architecture

Security architecture overview

Device-side encryption → TLS transport → zero-knowledge cloud storage → administrator RBAC access control.

ISO
ISO 27001AWS infrastructure
SOC
SOC 2 Type IIAWS infrastructure
GDPR
GDPRData handling support
HIPAA
HIPAAWorkflow support option
Penstar Security Stack
Admin Console · SSO · RBAC · Audit Log
↕ TLS 1.3 · mTLS
Penstar Cloud · Zero-Knowledge · AES-256 at Rest
↕ E2E Encrypted Sync
eNote Device · Secure Boot · TPM · Remote Wipe
Fleet Security

Fleet Dashboard security controls

  • Device compliance at a glanceEncryption status, OS version, and policy compliance rate
  • Remote lock / wipeOne-click remote data wipe when a device is lost
  • Audit log exportFull operation history with SIEM integration support
  • Policy enforcementDisable USB, enforce VPN, and password complexity requirements
● Fleet Security Dashboard
Encrypted
847
Compliance rate
100%
Latest penetration test
2026-05-15 · 0 Critical · 0 High

Need a security assessment report?

Leave your email and our security team will share the current security brief and confirm available compliance documentation.

WhatsApp +1 302 932 3415