Security First
Security
You can trust us for your journey to the cloud.
A better way to send money.
-
Data ownership
- You own your data. All data you upload as well as any data that is generated by our tools is owned by you. We don't claim any ownership of any data connected to you.
-
End-to-end encryption
- AES-256 encryption keeps your data safe at rest. Whenever data is transferred, TLS v1.2 is used to secure your data in transit.
-
Local analysis
- None of the source code or data from your database leaves your machine. The source code analysis and the database analysis happen in your own environment. Only the generated data is uploaded.
We follow industry standards and best practices to keep your data safe
-
Secure secret storage
We never store secrets in plain text. All secrets are encrypted and stored following industry best practices for management of cryptographic secrets.
-
Regular security updates
We monitor all technologies used in our products and development cycle for updates and regularly deploy security patches and updated versions.
-
Controlled change management
All changes to production systems are made using state of the art software for infrastructure and application deployments, following the industry best practices related to infrastructure as code.
-
Principle of Least Privilege
We adamantly follow the idea of least privilege access across all of our production systems. This includes minimal fine grained access control at the authorization layer and fully minimized public facing network exposure.
-
Regular penetration testing
We regularly conduct vulnerability scans and penetration tests both during development and in production to identify potential security issues.
-
Employee Trainings
Security is a company-wide endeavor. All employees complete an annual security training program and employ best practices when handling customer data.
-
Vulnerability Disclosure Program
If you believe you’ve discovered a bug or vulnerability in Tidal software or security, please get in touch at security@tidalcloud.com. Our security team promptly investigates all reported issues.
-
Continuous Security Control Monitoring
Tidal uses Drata’s automation platform to continuously monitor 100+ internal security controls across the organization against the highest possible standards.
All your security questions answered
-
Can session timeout parameters be configured?
We can support a custom set timeout session at your request.
Do you support role-based access segregation?
Yes, we support role based access, based on three roles, a ‘read’ only role, a ‘write’ role, and an ‘admin’ role. The ‘admin’ role has full access to any API endpoint and UI view. The ‘write’ role is limited to only some API endpoints and views, but has access to the majority of the application. The ‘read’ role, as limited access to certain API endpoints and UI views, and can only ever lookup or access existing data, no creating, modifying or deleting data.
Which methods are supported for API access authentication and authorization?
The API requires a JSON Web Token (JWT, OAuth 2.0) to gain authorized access to the API.
-
Who owns the data imported to and/or generated in the solution?
All data is owned by your company.
How can I extract my data from the platform?
You can access the API at any time and extract all data with out any requirement of approval or action from us.
Does the solution require direct integration with centralized source code or artifact repositories?
No, the complete analysis can be performed without any integration with source code or artifact repositories.
Is any part of my source code sent outside my environment for the analysis?
No, your source code stays inside your environment at all times.
How is my data secured at rest?
All data is stored encrypted at rest using the industry standard AES-256 encryption algorithm.
How is my data secured in transit?
We use TLS v1.2 for all communication.
Is masking and obfuscation of sensitive data supported?
Data that is secret and not meant to be shared with others we consider sensitive and mask that data within all of our logging.
What happens to my data in case of contract termination or service discontinuity?
All data can be retrieved without any permission or authorization from us. We will support you in doing so and confirm you have done so prior to removing any data. After termination of service we destroy all data and destroy all backups within 14 days.
-
Do you support real-time audit trail monitoring integration?
Yes, we support and use audit logging on all application access and related infrastructure. Our audit logs follow industry standards and contain minimal traceability information.
What user actions are part of the audit trails?
We log all API requests.
Are the logs generated by the products immutable?
Yes, all logs are stored encrypted in an isolated, read-only environment to minimize log access and ensure logs are immutable. We use infrastructure as code to have full audit capability in terms of log access and changes made to the log storage environment.
-
Which SLAs are defined?
We provide a service level agreement of 99.5% of guaranteed availability during each annual year of service provided.
Is there an escalation process if SLAs are not met?
Yes there is. We use automated service monitoring, therefore most issues can be identified without any reporting required. The escalation process for any SLAs that are not met begins with emails to support@tidalcloud.com, is followed by using Slack for real time communication and last is via telephone to +1 877 895 7179. Ask for ‘incident escalation’ to be connected to our Tier 3 support staff.
What happens if SLAs are not met?
If the SLA is not met we will provide a credit for the incurred outage. The credit amount given is the annual pricing amount of software agreement, divided by 525 600 multiplied by the number of minutes beyond the allowed agreement stated with the SLA. For example if the annual agreement is of the amount of $200 000 and the solution is not available for 72 hours over the year. A credit of ( (72h - 44h) * 60min/h / 525 600 minutes/year * $200 000) $639.26 for the year would be made. A
How are scheduled maintenances conducted?
We give 2 week notice for any scheduled maintenance where downtime is required. We conduct any maintenance on non business hours or days. We also rarely require to have to schedule downtime for maintenance, with our current average being roughly once every 1.5 years.
-
What management processes do you have in place to manage cryptographic assets?
We follow industry standard practices with regard to cryptographic asset management. All systems used for storage of cryptographic assets are in compliance with or in the process of being validated under the FIPS 140-2 standard.
What change management process do you have in place?
We practice and follow the industry best practices of continuous delivery of software.
All changes to any production systems go through our peer-reviewed change and release process, using automation tooling and audited systems to introduce all changes. It is this rigorous release process that allows us to both respond quickly to customer feature demands, while ensuring minimal service interruptions globally.
How do you secure your own systems?
Our accounts are secured using multi-factor-authentication mechanisms. Credentials are rotated on a regular basis.
Tidal Experts
Tidal provides a unique cloud enablement service to customers, that reduces risk and accelerates momentum to cloud.
Get Help