# Security considerations ## Data Privacy groundcover’s architecture is built with privacy as one of its primary drivers. All data that groundcover collects is stored inside your environment. Our default deployment is built in a way that ensures no data ever leaves your cluster, and that remains the case forever. See our [Architecture](https://github.com/groundcover-com/docs/blob/main/architecture/security-considerations/broken-reference/README.md) section for more details. When someone from your company enters the groundcover UI, a secure encrypted data tunnel will enable the movement of data to the UI, such that the user will be able to access and visualize the data. No data that is passed to the UI is persisted on groundcover's side. This architecture ensures that groundcover is, and remains, as privacy-focused as possible. ## Single Sign-On (SSO) Support with OIDC and SAML {% hint style="info" %} SSO support is an exclusive feature available in our [enterprise plan](https://www.groundcover.com/pricing). Implementing SSO requires coordinated actions between groundcover and your team. To initiate the process, please contact us through [Slack](https://www.groundcover.com/join-slack) to ensure seamless communication and successful setup. {% endhint %} groundcover offers robust support for Single Sign-On (SSO) through both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML), to ensure seamless and secure access to our platform by integrating with your existing identity provider (IdP). ### OIDC Built on the OAuth 2.0 framework, [OIDC](https://openid.net/developers/how-connect-works/) is a modern authentication protocol that uses JSON Web Tokens (JWTs) to transfer user information between parties. It is particularly well-suited for modern web applications, mobile apps, and APIs due to its lightweight, RESTful approach and ease of integration with JSON-based environments. groundcover supports any IdP that uses OIDC, including:
Oktaokta-sso-onboarding
OneLogin
Auth0
Microsoft Azure AD (Active Directory)
PingIdentity
Google Identity Platform
Amazon Cognito
IBM Security Verify
### SAML SAML is an older, XML-based protocol that was designed for enterprise-level security and is widely used for federating identity across disparate systems. SAML is ideal for single sign-on in legacy enterprise applications and environments where XML is already in use, providing robust support for complex organizational requirements and integrations. groundcover supports any IdP that uses SAML, including:
Okta
OneLogin
JumpCloud
PingIdentity
CyberArk Identity
Microsoft Azure AD (Active Directory)
Auth0
Frontegg
WorkOS
SecureAuth
{% hint style="info" %} The full list of available SSO providers is too long to display. Any SSO provider that uses OIDC and/or SAML can be supported by groundcover. Full implementation guides for the most popular SSO providers for each protocol will be published soon. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.groundcover.com/architecture/security-considerations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.