Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker Security and Privacy

8 min. readlast update: 05.01.2026

Note: For information regarding Privacy for Zero Trust Network Access (ZTNA) and Zero Trust Cloud Access (ZTCA), please refer to the following article:

Secure Network – Privacy | ThreatLocker Help Center

This article outlines the types of data ThreatLocker collects, how that data is protected, and how it is used across the platform’s features and services. It also describes the security standards and compliance frameworks ThreatLocker adheres to. 

ThreatLocker is committed to data security and privacy. When using ThreatLocker® products and services, ThreatLocker may collect information necessary to provide those services. ThreatLocker ensures that all information and configurations collected are protected using industry-recognized security standards and best practices. ThreatLocker implements controls and procedures in line with the following standards: 

  • CMMC Level 2
  • NIST 800-53, Rev 5
  • NIST 800-171 (Required for DFARS 252.204-7012)
  • NIST 800-207 (Zero Trust Architecture)
  • CIS Controls V7
  • ISO 27001/2
  • HIPAA

Our security controls and practices are audited at least once per year by an independent auditor certified by AICPA, and a SOC 2 Type II report is issued. The results of the audit are available to customers upon request and under a non-disclosure agreement. 

ThreatLocker undergoes regular penetration tests both internally and externally. 

ThreatLocker Cyber Hero Support and Solutions Engineers assist with onboarding and configurationCustomers are able to granularly configure who has access to their data. Within their organization, they can choose from over 50 permissions for their team. Customers can also choose who on ThreatLocker’s staff can read or change their settings. 

All access and changes are logged and visible within the System Audit, which is accessible to customers by logging into the portal. 

All confidential information, including data transmitted to and from the ThreatLocker agent, is encrypted both in transit and at rest using industry-standard encryption protocols. 

ThreatLocker does not sell customer data. Data is only shared with trusted subprocessors as necessary to deliver services, in accordance with applicable agreements and regulations. The data collected varies based on the features that are being used. The data collected by each component is outlined below.

Upon request, ThreatLocker may enter into a DPA (Data Protection Agreement) with your organization to satisfy GDPR or CCPA requirements. 

ThreatLocker Portal

If you are an administrator of your account and log into the ThreatLocker Portal, ThreatLocker may collect the following data to identify you or grant you access to the ThreatLocker Portal: 

  • Full name
  • Address
  • Telephone number
  • Business email address
  • IP address that you access the portal from
  • Job title

ThreatLocker may use this information to contact you about alerts or configurations on your account, as well as send you information about updates to our product, outages, or recommendations. 

ThreatLocker Agent

When an agent is installed on your computer, ThreatLocker collects basic information to authenticate your computer and provide services for features that may be enabled. The following information may be collected regardless of which feature sets are enabled: 

  • Computer public IP address
  • Computer hostname
  • Logged-in users, including the domain name (e.g. ThreatLocker\JohnSmith)
  • Operating System, including build and CPU type (e.g. Windows 10 Professional, AMD64)
  • Make and Model (e.g. Dell Latitude 5200)
  • A list of ThreatLocker products and services that are installed or on your computer

When additional features are enabled, the following information is collected alongside logs of the additional features: 

  • Username, including domain name
  • The hostname of the computer
  • Date and time an action was taken
  • Interface type a hard drive is connected with (e.g. USB or SAS)
  • The serial number of the disk and volume 

ThreatLocker Allowlisting

The following information is collected when performing an initial baseline scan of your computer: 

  • A list of all Executable files, including libraries, script files, and other supporting application extensions, including the following file information:
    • File name and path
    • MD5 and SHA256 HASH of the file, and SHA1 (if enabled)
    • Certificate information from the file, including the certificate subject and an irreversible SHA256 of the signer (we do not collect private keys)
    • File size 
  • Depending on your policy configuration, ThreatLocker may audit instances of new program files being created or executed. This includes all the above information, as well as:
    • The username of the person who opened the program, including the domain name
    • The date and time the program or library was opened
    • The name and the process ID of the process that called the program 

ThreatLocker Ringfencing™

This feature allows I.T. administrators to control what applications can do once they have been executed. Ringfencing™ controls access to other applications, as well as network traffic, file access, and registry changes. 

To provide these levels of control, ThreatLocker logs the following information, which varies based on the configuration of policies:

  • Where an application has restricted access to the network, ThreatLocker will collect the following network information that the said application attempts to or successfully connects to:
    • All IP addresses, including internal or public IP addresses
    • A hostname from the DNS cache matching the IP address
    • The TCP/IP port
  • Where an application has restricted access to documents and files, ThreatLocker will collect the following file information that the application accesses:
    • Full file name, including the path
    • File size
  • Where an application has restricted access to write to the registry, ThreatLocker will collect the following registry information that the application has attempted to or successfully changed:
    • The full registry key, including the path 

ThreatLocker Elevation

This feature allows administrators to either temporarily or permanently grant an application administrative permission. When enabled, ThreatLocker will collect the following additional information:

  • Any attempt to elevate, regardless of whether the elevation was completed or not
  • Any ThreatLocker-assisted elevation
  • The application information, including all information that is collected by the Application Whitelisting module 

ThreatLocker Storage Control

This feature allows I.T. professionals to control access to storage, including USB drives, network shares, or local storage. When enabled and based on policy configuration, ThreatLocker will collect the following information: 

  • Full file name, including the path
  • Size of the file
  • The action that is taken (i.e. read, write, delete or move)
  • The process name, process ID, and process path that accessed the file 

ThreatLocker Tray 

The ThreatLocker Tray is an application that allows users to easily request access to a program or storage device. The tray application displays a message to a user when something is blocked. If a user requests access to a file, the following information is recorded: 

  • The user's login name and domain name
  • File information, as listed in the feature section (e.g. Application Whitelisting)
  • The user’s email address, if they explicitly enter it, in which case the user will be notified when the file is approved
  • The reason the user wants to open the file, if the user entered a reason, which is optional
  • The file contents, only if the box is checked to upload a copy of this program for review 

ThreatLocker shall not make use of the information collected for any reason other than processing the request. 

Cloud Control

ThreatLocker Cloud Control allows administrators to control access to Microsoft 365 resources by creating dynamic ACLs and controlling conditional access, along with defined named locations. When enabled/configured, ThreatLocker will collect the following information: 

  • Named Location Name
  • Selected Microsoft 365 Tenant
  • ThreatLocker objects (groups or computers) that will be contained in the Named Location
  • Last known IP address of every object contained in the Named Location 

Identity Threat Detection and Response (Formerly Cloud Detect)

ThreatLocker Identity Threat Detection and Response (ITDR) allows administrators to leverage an existing Office 365 connector integration by creating rules that alert and/or respond to specified events within your Office 365 environment. When enabled/configured, ThreatLocker will collect the following information from ITDR policies:

  • Connector (Microsoft Graph, Office 365 Management or ThreatLocker Advanced Analytics)
  • Log Type (Directory Audit, Risk Detection or Security Alert)
  • Policy Action (Rest API, Webhook, Alert, Ticket, Send Email or Lockout Account) 

Endpoint Detect

ThreatLocker Endpoint Detect validates your zero-trust policies by allowing you to create rules that notify or respond to specified events. ThreatLocker Detect uses telemetry data, threat levels, and policies to define and communicate the current level of attack on your system. When enabled/configured, ThreatLocker will collect the following information from Endpoint Detect policies: 

  • Policy Name/Description
  • Policy Conditions
  • Policy Action (Rest API, Webhook, Alert, Ticket, Send Email or Lockout Account)
  • Policy Expiration & Order 

Cyber Hero MDR

ThreatLocker Cyber Hero Managed Detection and Response (MDR) allows the ThreatLocker Cyber Heroes to triage both Endpoint Detect and ITDR alerts and make decisions on your behalf following your company's playbook. When enabled/configured, ThreatLocker will collect the following information from your company's playbook:

  • Contact Names
  • Contact Phone Numbers
  • Instructions for Cyber Hero MDR Team 

Configuration Manager

ThreatLocker Configuration Manager provides a centralized, policy-driven portal where administrators can set configuration policies per individual endpoint, computer group, organization, or across multiple organizations to help mitigate the most common threat vectors. When enabled/configured, ThreatLocker will collect the following information: 

  • Administrator Account Name (If the Rename Administrator Account policy is enabled)
  • Administrator Password (If the Threat Locker Administrator Password System (TLAPS) policy is enabled)

Patch Management

ThreatLocker Patch Management provides a centralized location to view all managed applications and immediately see if any are missing updates. When enabled/configured, ThreatLocker will collect the following information: 

  • Policy Name
  • Applies To (Computers and/or Groups)
  • Application
  • Patch Version

Syslog Ingestion

ThreatLocker Syslog Ingestion is a tool for receiving log data from various devices within an environment using the Syslog Protocol. ThreatLocker now provides a means of applying a Syslog Ingester directly to machines in your organization. When enabled/configured, ThreatLocker will collect the following information: 

  • Listener IP Address
  • Listener UDP Port Number
  • Action Type (Network/Other)
  • Source Type (General Syslog/Big-IP/Meraki/SophoUTM/SonicWall)
Was this article helpful?