Security at Tines

The world’s leading security teams rely on Tines to automate their mission-critical processes. They trust Tines to operate securely and to protect their data at all times. We take this trust seriously. Here you’ll find an overview of some of the measures we’ve implemented to ensure security and privacy are key tenets of our culture and are ingrained in how we operate day-to-day.

  

Compliance 

Our information security program is aligned to the industry accepted framework, SOC2. SOC2 compliance means that a company has established and follows strict information security policies and procedures. These policies cover the security, availability, processing, integrity and confidentiality of customer data. We maintain SOC Type II compliance and are audited annually.
‍Our compliance stance is an important part of how we protect customer data, however, we recognize that being compliant is not the same as being secure. As such, we have implemented (and will continue to implement) a range of additional security controls which provide our customers with further assurance that we are prioritizing security within the Tines product and organization.

Security in the product 

We provide a number of security features within the Tines product which help ensure the confidentiality, integrity and availability of customer information.

Customized session timeout 

Tines supports the ability for administrators to set a custom session timeout length to adhere to your organization's policies.

SSO/SAML 

Tines supports SSO/SAML by default across all plans. We encourage customers to enable single-sign-on in their Tines tenant.

Granular control over data retention 

We believe customer data is a liability and provide easy-to-use platform features that ensure it’s only retained in the platform for as long as is required.

Cloud or on-premise deployment 

Tines is both a cloud service that we host and a product that you can host. If a customer is working under specific regulatory requirements (e.g.: FedRAMP), Tines can be easily deployed in a customer’s own data center.

Full audit log capabilities  

We automatically capture an audit log any time a user changes any piece of data in your Tines tenant. All of the logged operations are available both via the UI and API.

Control access to stories and other resources  

Using teams, you can logically separate users, credentials, resources, and stories.

Security in the organization 

We place equal importance on security in the Tines product as we do on security within the Tines organization. Below is a non-exhaustive list of security measures we’ve implemented at an organizational-level.

BeyondCorp 

BeyondCorp is a Zero Trust security framework that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN.

Access to production systems 

We restrict access to production systems to a handful of employees. No contractors or 3rd-parties have access to production. Customer data is prohibited from leaving our production environment. The list of employees with access to production is regularly reviewed.

Security and privacy council 

We have established a cross-functional group, led by the company CEO, that meets on a regular basis to discuss security and privacy matters. The agenda for security and privacy council meetings typically includes a review of recent incidents, security implications of up-coming features and on-going compliance efforts.

Awareness training 

Every Tines employee undergoes security awareness training when they join and at least annually thereafter.

Security automation 

We leverage security automation extensively to alert on suspicious activity across prod and corp environments.

The Tines security pack 

You can request a copy of the Tines security pack by completing this form. The security pack includes:

  • SOC2 Type II Report

  • Results of our most recent vulnerability scan

  • List of Tines security policies and procedures

  • Results of a third-party risk assessment

Due to the sensitivity of this information, we’ll send you an NDA that must be signed before issuing the security pack.

Reporting security vulnerabilities 

Responsible Disclosure  

As a security company, we have a commitment to providing a secure and trusted platform to our users. We value security researchers and others who keep a watchful eye and responsibly disclose security issues. Should you find any security vulnerabilities, we ask that you please disclose to us via our Vulnerability Disclosure Program (VDP) powered by BugCrowd.

We ask that you adhere to the following guidelines:

  • Do not disclose the vulnerability outside of the VDP

  • Do not violate any laws

  • Do not disrupt services (DoS/DDoS)

  • Do not access, modify, or destroy any accounts or data that does not belong to you

Out of Scope  

  • HTTPS / TLS security headers suggestions

  • Direct testing of 3rd parties

  • SPF / DMARC / DKIM / DNSSEC suggestions

  • Banner/version disclosure

  • Social engineering / phishing / spam