Skip to main content

Trust and Security Model Template

Required before any security-relevant release.

# [AppName] — Trust and Security Model

**Version:** [AppName] v[X.Y.Z]
**Document status:** [Draft / Under review / Current]
**Last updated:** [YYYY-MM-DD]

This document describes how [AppName] handles sensitive data, what it trusts, and what it deliberately does not do. It is a living reference that should be updated when security-relevant behavior changes.

An incomplete trust model that states what it covers is more useful than no trust model.

---

## Scope

This document covers:

* [Area 1 — e.g. how user credentials are stored]
* [Area 2 — e.g. how data is encrypted at rest]
* [Area 3 — e.g. what network connections the application makes]

This document does not cover:

* [Out-of-scope area — e.g. the operating system's security posture]
* [Out-of-scope area — e.g. network infrastructure between the user and any services]

---

## Data Classification

| Data Type | Sensitivity | Where Stored | How Protected |
|-----------|-------------|--------------|---------------|
| [e.g. User credentials] | High | [e.g. Windows Credential Manager] | [e.g. OS-managed, never written to disk by this application] |
| [e.g. Application settings] | Low | [e.g. %APPDATA%\AppName\settings.json] | [e.g. plaintext — contains no secrets] |
| [e.g. Vault data] | High | [e.g. %APPDATA%\AppName\vault.db] | [e.g. AES-256-GCM, key derived from user passphrase] |

---

## Trust Boundaries

### What [AppName] trusts

* [e.g. The Windows operating system and its security primitives (DPAPI, Credential Manager)]
* [e.g. The user who launched the application — no multi-user isolation within a single OS session]
* [e.g. Files in the install directory — assumed to be the unchanged build artifact]

### What [AppName] does not trust

* [e.g. Files in the data directory — format validation is enforced on read]
* [e.g. External network sources — application is fully offline; any unexpected network call is a defect]
* [e.g. Clipboard contents — treated as untrusted input]

---

## Cryptographic Primitives

| Primitive | Algorithm | Key Size | Usage | Library |
|-----------|-----------|----------|-------|---------|
| [e.g. Symmetric encryption] | [e.g. AES-256-GCM] | [e.g. 256-bit] | [e.g. Vault data at rest] | [e.g. System.Security.Cryptography] |
| [e.g. Key derivation] | [e.g. PBKDF2-HMAC-SHA256] || [e.g. Passphrase to encryption key] | [e.g. System.Security.Cryptography] |
| [e.g. Hash] | [e.g. SHA-256] || [e.g. Artifact integrity] | [e.g. System.Security.Cryptography] |

If no cryptographic primitives are used: state that explicitly. "This application does not use cryptography."

---

## Sensitive Operations

### [Operation name — e.g. Vault unlock]

**What happens:** [Plain description of what the operation does]

**Input:** [What the user or system provides]

**Output:** [What is produced or changed]

**Failure behavior:** [What happens if the operation fails — e.g. "key material is zeroed, vault is not opened"]

**Audit:** [Whether and how this operation is logged — e.g. "unlock attempts are not logged"]

---

## Data Retention and Deletion

* **Uninstall behavior:** [e.g. "The installer removes application binaries only. User data at %APPDATA%\AppName is not deleted."]
* **Data deletion:** [e.g. "User data can only be deleted manually. No in-app delete-all function exists."]
* **Temporary files:** [e.g. "No temporary files are written outside the application data directory."]
* **Clipboard:** [e.g. "Clipboard contents are cleared after N seconds when sensitive data is copied."]

---

## Network Behavior

[AppName] is: [**fully offline** / **network-aware** / **always-connected**]

[If offline: "This application makes no network connections. Any unexpected outbound connection from this process is a defect and should be reported."]

[If network-aware: List all outbound connections by destination, protocol, and purpose.]

---

## Known Limitations and Gaps

This section is honest about what the current security model does not address.

* [e.g. "This application has not undergone a third-party security audit."]
* [e.g. "Key material may remain in memory after vault lock if the GC has not collected it."]
* [e.g. "Log files are not encrypted and may contain metadata about user activity."]

---

## Audit and Review Status

| Review Type | Status | Date | Reviewer |
|-------------|--------|------|---------|
| Internal review | [Completed / Pending / Not performed] | [YYYY-MM-DD] | [Name] |
| Third-party audit | [Completed / Pending / Not performed] | [YYYY-MM-DD] | [Firm or N/A] |
| Penetration test | [Completed / Pending / Not performed] | [YYYY-MM-DD] | [Firm or N/A] |

> Do not claim production readiness in a release note without a security review on record.

---

## Change Log

| Version | Change | Date |
|---------|--------|------|
| v[X.Y.Z] | Initial document | [YYYY-MM-DD] |