The world’s leading security teams rely on Tines to automate their mission-critical processes. They trust Tines to operate securely and to protect their data at all times. We take this trust seriously. Here you’ll find an overview of some of the measures we’ve implemented to ensure security and privacy are key tenets of our culture and are ingrained in how we operate day-to-day.
Compliance
Our information security program is aligned to the industry accepted framework, SOC2. SOC2 compliance means that a company has established and follows strict information security policies and procedures. These policies cover the security, availability, processing, integrity and confidentiality of customer data. We maintain SOC Type II compliance and are audited annually.
Our compliance stance is an important part of how we protect customer data, however, we recognize that being compliant is not the same as being secure. As such, we have implemented (and will continue to implement) a range of additional security controls which provide our customers with further assurance that we are prioritizing security within the Tines product and organization.
Security in the product
We provide a number of security features within the Tines product which help ensure the confidentiality, integrity and availability of customer information.
Customized session timeout
Tines supports the ability for administrators to set a custom session timeout length to adhere to your organization's policies.
SSO/SAML
Tines supports SSO/SAML by default across all plans. We encourage customers to enable single-sign-on in their Tines tenant.
Granular control over data retention
We believe customer data is a liability and provide easy-to-use platform features that ensure it’s only retained in the platform for as long as is required.
Cloud or on-premise deployment
Tines is both a cloud service that we host and a product that you can host. If a customer is working under specific regulatory requirements (e.g.: FedRAMP), Tines can be easily deployed in a customer’s own data center.
Full audit log capabilities
We automatically capture an audit log any time a user changes any piece of data in your Tines tenant. All of the logged operations are available both via the UI and API.
Control access to stories and other resources
Using teams, you can logically separate users, credentials, resources, and stories.
Security in the organization
We place equal importance on security in the Tines product as we do on security within the Tines organization. Below is a non-exhaustive list of security measures we’ve implemented at an organizational-level.
BeyondCorp
BeyondCorp is a Zero Trust security framework that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN.
Access to production systems
We restrict access to production systems to a handful of employees. No contractors or 3rd-parties have access to production. Customer data is prohibited from leaving our production environment. The list of employees with access to production is regularly reviewed.
Security and privacy council
We have established a cross-functional group, led by the company CEO, that meets on a regular basis to discuss security and privacy matters. The agenda for security and privacy council meetings typically includes a review of recent incidents, security implications of up-coming features and on-going compliance efforts.
Awareness training
Every Tines employee undergoes security awareness training when they join and at least annually thereafter.
Security automation
We leverage security automation extensively to alert on suspicious activity across prod and corp environments.
The Tines Trust Center
Tines maintains a Trust Center where customers can obtain up-to-date security reports and attestations such as:
SOC2 Type II Report
Results of our most recent vulnerability scan
List of Tines security policies and procedures
Results of a third-party risk assessment
Due to the sensitivity of this information, you will be required to sign an NDA before documents will be made available to you.
Reporting security vulnerabilities
Responsible Disclosure
As a security company, we have a commitment to providing a secure and trusted platform to our users. We value security researchers and others who keep a watchful eye and responsibly disclose security issues. Should you find any security vulnerabilities, we ask that you please disclose to us via our Vulnerability Disclosure Program (VDP) powered by BugCrowd.
We ask that you adhere to the following guidelines:
Do not disclose the vulnerability outside of the VDP
Do not violate any laws
Do not disrupt services (DoS/DDoS)
Do not access, modify, or destroy any accounts or data that does not belong to you
Out of Scope
HTTPS / TLS security headers suggestions
Direct testing of 3rd parties
SPF / DMARC / DKIM / DNSSEC suggestions
Banner/version disclosure
Social engineering / phishing / spam