Skip to content
Big Picture

Security Overview

Big Picture is designed as infrastructure software and is built with a security-first mindset appropriate for enterprise and regulated environments.

This page provides a high-level overview of Big Picture’s security principles and operational posture. It is not a certification or compliance statement.

Core security principles

Section titled “Core security principles”

Big Picture is built around the following principles:

  • Least privilege by default
    Clients and operators are granted only the minimum access required.

  • Signed decisions and metadata
    Update catalogs, release decisions, and licensing artifacts are cryptographically signed to prevent tampering.

  • Separation of concerns
    Artifact storage, decision logic, and client enforcement are intentionally decoupled.

  • Explicit trust boundaries
    Big Picture does not assume administrative access or unrestricted network connectivity.

Authentication and authorization

Section titled “Authentication and authorization”

Big Picture supports modern authentication models suitable for both human users and machine-to-machine access. Authorization is scoped by tenant, product, and role.

Licensing enforcement is based on short-lived, signed lease tokens rather than static license keys.

Deployment models

Section titled “Deployment models”

Big Picture supports multiple deployment models:

  • Cloud-hosted by Big Picture
  • Self-hosted in customer-controlled infrastructure
  • Vendor-controlled mirrors and local license servers for restricted environments

Customers retain control over keys and infrastructure in self-hosted and regulated deployments.

Telemetry and data handling

Section titled “Telemetry and data handling”

Big Picture produces operational and licensing telemetry required for safe rollout, auditability, and usage reporting. Telemetry is intentionally limited, documented, and designed to integrate with existing observability systems.

Big Picture is not a general analytics or tracking platform.

Compliance and certification considerations

Section titled “Compliance and certification considerations”

Big Picture is designed to support customers operating under strict regulatory and compliance requirements. However, formal compliance certifications (such as SOC 2, FedRAMP, PCI DSS, or similar) are evaluated in the context of a specific deployment environment.

For customers who require certified environments as part of their compliance posture, Big Picture is typically deployed in a self-hosted configuration, where infrastructure, access controls, and operational procedures are owned and managed by the customer.

This deployment model allows customers to align Big Picture with their existing compliance programs, audits, and certifications without introducing additional third-party scope.

Cloud-hosted deployments are appropriate for many commercial use cases, but regulated customers should expect to evaluate self-hosted deployment options during security and compliance review.

Formal compliance certifications (e.g., SOC 2) are planned as the platform matures. Big Picture is designed to support customer compliance requirements but does not claim certifications prior to completion.

Security questions or review requests can be directed to the contact information listed on the site.