Security
Broch is self-hosted networking software. It runs entirely on infrastructure you control — your data, your network traffic, and your users never leave your environment. Broch has no access to your network, your databases, or your user information.
This page summarizes the security posture. For a full SOC 2 control mapping, GDPR analysis, and a security-questionnaire response, contact [email protected] — we provide the complete Security and Compliance overview on request.
No vendor in the traffic path
Section titled “No vendor in the traffic path”Unlike cloud-hosted tunneling services (ngrok, Cloudflare Tunnel), Broch operates no relay. Every request and response is decrypted only on your servers. Traffic passes through Broch’s transparent proxy in memory and is never inspected, modified, recorded, or sent to Broch.
Because Broch never processes your data, it is a software vendor, not a data processor: no DPA or BAA is required, and your deployment stays within your own audit scope rather than adding a subprocessor to your compliance chain.
We cannot read your data
Section titled “We cannot read your data”Broch’s at-rest secrets — the encrypted IdP refresh tokens, the persisted license token, and usage counters — are protected by a key ring that is itself wrapped by a customer-owned master key.
- The master key is supplied to the server at boot via the
BROCH_MASTER_KEYenvironment variable. The server will not start without it. - The key is created in your environment: the
broch-deployTerraform modules generate it at provision time into your platform’s secret store (Secrets Manager, Key Vault); on Docker Compose you generate it once withopenssl rand -base64 48and keep it in your env file or secret store. - Broch never sees it. The vendor holds no copy of the key that protects your at-rest state — the defining property of a zero-trust deployment.
See Environment Variables for the operational details, including rotation behavior.
Authentication is delegated to your IdP
Section titled “Authentication is delegated to your IdP”Broch stores no passwords. Authentication is brokered server-side through your identity provider (Entra ID, Okta, Auth0, or any OIDC provider), and end users only ever receive a server-signed, deployment-scoped Broch token — never IdP access or refresh tokens. A stolen Broch token cannot be replayed against any other service that trusts the same IdP.
Authorization is stateless and claims-based: your IdP is the single source of truth for roles, evaluated fresh on every connection. Broch maintains no access-control tables to drift out of sync.
You hold the data
Section titled “You hold the data”Broch stores only seat assignments (which IdP identity holds which feature entitlement) in your own PostgreSQL database — no end-user passwords, no traffic content.
What Broch receives is the licensing exchange, exactly this:
| When | Sent to Broch |
|---|---|
| License activation (admin-initiated) | License key, deployment ID (your wildcard hostname), server machine name, server version |
| License refresh (automatic, every 15–30 days) | License key, current token, and a usage report: active seat count, all-time seat high-water mark, server version — integers, not identities |
| In-app purchase (admin-initiated) | Deployment ID, seat quantities, buyer email, agreement version, and the signing admin’s name and IdP-verified email |
| Agreement acceptance (admin-initiated) | License key, accepted version, and the signing admin’s name and IdP-verified email |
The admin emails above exist to bind the purchase and the subscription agreement to an authorized signer. Broch never receives your end-user list, traffic content, tunnel activity, or service topology.
Verifiable, standards-based delivery
Section titled “Verifiable, standards-based delivery”Broch ships as a Docker image you control. Scan it with your own container security tooling (Trivy, Grype, Snyk) before it enters your environment — every dependency and base layer is visible. The traffic path is built on open standards (SSH, WebSocket, TLS, OIDC, JWT) and open-source components (YARP, Caddy, .NET), each independently auditable rather than a proprietary black box.
Shared responsibility
Section titled “Shared responsibility”| Broch provides | You control |
|---|---|
| Software security, patching, vulnerability response | Infrastructure, network, and OS security |
| License validation logic (runs locally) | Identity provider configuration |
| Security incident communication | The master key (see At-Rest Encryption), database encryption, and audit-log retention |
Questions?
Section titled “Questions?”For the full Security and Compliance overview, a completed security questionnaire, or a vulnerability report, contact [email protected].