Security at Terminal 3
Security, privacy, and compliance are architectural primitives at Terminal 3. Our architecture is designed so that even Terminal 3 cannot access your data without your participation.
Six layers of protection, built into the architecture
Hardware-enforced isolation
Computation runs inside Intel TDX Trusted Execution Environments. Data is decrypted only within the sealed hardware boundary, inaccessible to the host OS, cloud operator, and Terminal 3 infrastructure staff.
Post-quantum cryptography
Data at rest is encrypted with AES-256-GCM. Encryption keys are encapsulated using ML-KEM (FIPS 203), the NIST-standardized post-quantum key encapsulation mechanism, defending against future quantum attacks.
24/7 monitoring & response
Continuous security monitoring with automated anomaly detection and a defined incident response playbook. Every security event is logged, investigated, and resolved to documented standards.
Multi-party threshold keys
No single entity can decrypt data alone. Terminal 3, cloud providers, and infrastructure operators each hold only partial key shares. A threshold quorum across independent TEE nodes is required for decryption.
Tamper-proof audit trails
Every data access, computation, policy evaluation, and credential verification is logged in a Merkle-tree-backed immutable ledger. Entries are cryptographically signed and independently verifiable by third parties.
Data residency by design
Every value can be pinned to a specific jurisdiction at write time. Data never crosses regional boundaries. GDPR, PDPA, and APPI residency requirements are satisfied at the infrastructure layer, without any policy configuration required.
Security guarantees of the T3 Network
Private data never stored on-chain
All data stored with Terminal 3 is quantum-resistant because it never touches the blockchain, even in encrypted form. Only cryptographic commitments anchor identity and credentials on-chain, eliminating long-lived ciphertext exposure.
No single point of compromise
Key shares are distributed across independent hardware-secured nodes. Compromising a single node, including Terminal 3 as an organization, does not yield access to user data. Threshold quorum is always required.
Cryptographic attestation on every result
Every computation in a TEE produces a hardware attestation proving the correct code ran and data was handled according to policy. Applications verify attestations before trusting results. Tampering is detectable cryptographically.
Access ≠ transfer
Computation moves to the data inside the hardware enclave. Data never moves to the computation. Applications receive answers, not raw records, eliminating custody liability, breach risk, and compliance burden at the architecture level.
Independently audited and certified
We do not ask you to trust our claims. We provide proof.
Full-scope review of security controls, access management, network boundaries, and infrastructure hardening.
Deep review of cryptographic implementation, threshold key management, TEE attestation logic, and post-quantum algorithms.
Annual external penetration test of API surface, authentication flows, and network boundary controls by PwC.





Audit reports and compliance summaries are available to enterprise customers and prospects under NDA. Contact our security team to request access.
Privacy-native by architecture
Terminal 3 is architected so that privacy protections are enforced at the hardware and cryptographic level, independent of any policy or configuration. They cannot be disabled, misconfigured, or bypassed.
Data requires explicit user consent and cryptographic keys before it can be accessed, with threshold quorum from independent node operators required where applicable.
Found a vulnerability? Tell us first.
We take every security report seriously. If you discover a vulnerability, please disclose it responsibly by contacting our security team directly. We commit to:
- Acknowledging your report within 2 business days
- Keeping you informed throughout the investigation
- Crediting researchers who report valid findings (if desired)
- Not pursuing legal action against good-faith disclosure
Talk to our
security team
Our security team will walk you through our architecture, controls, and audit reports.