The world’s leading security teams rely on Tines to automate their mission-critical processes. They trust Tines to operate securely and to protect their data at all times. We take this trust seriously. Here you’ll find an overview of some of the measures we’ve implemented to ensure security and privacy are key tenets of our culture and are ingrained in how we operate day-to-day.
Our information security program is aligned to the industry accepted framework, SOC2. SOC2 compliance means that a company has established and follows strict information security policies and procedures. These policies cover the security, availability, processing, integrity and confidentiality of customer data. We maintain SOC Type II compliance and are audited annually.
Our compliance stance is an important part of how we protect customer data, however, we recognize that being compliant is not the same as being secure. As such, we have implemented (and will continue to implement) a range of additional security controls which provide our customers with further assurance that we are prioritizing security within the Tines product and organization.
Security in the product
We provide a number of security features within the Tines product which help ensure the confidentiality, integrity and availability of customer information.
Mandatory multifactor authentication
All user accounts within a Tines tenant enforce mandatory multifactor authentication. The second-factor is a one-time code sent to the user’s registered email address. If you require a different second-factor, we recommend enabling SSO/SAML and leveraging your existing IDP.
Tines supports SSO/SAML by default across all plans. We encourage customers to enable single-sign-on in their Tines tenant.
Granular control over data retention
We believe customer data is a liability and provide easy-to-use platform features that ensure it’s only retained in the platform for as long as is required.
Cloud or on-premise deployment
Tines is both a cloud service that we host and a product that you can host. If a customer is working under specific regulatory requirements (e.g.: FedRAMP), Tines can be easily deployed in a customer’s own data center.
Security in the organization
We place equal importance on security in the Tines product as we do on security within the Tines organization. Below is a non-exhaustive list of security measures we’ve implemented at an organizational-level.
BeyondCorp is a Zero Trust security framework that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN.
Access to production systems
We restrict access to production systems to a handful of employees. No contractors or 3rd-parties have access to production. Customer data is prohibited from leaving our production environment. The list of employees with access to production is regularly reviewed.
Security and privacy council
We have established a cross-functional group, led by the company CEO, that meets on a regular basis to discuss security and privacy matters. The agenda for security and privacy council meetings typically includes a review of recent incidents, security implications of up-coming features and on-going compliance efforts.
Every Tines employee undergoes security awareness training when they join and at least annually thereafter.
We leverage security automation extensively to alert on suspicious activity across prod and corp environments.
The Tines security pack
You can request a copy of the Tines security pack by completing this form. The security pack includes:
SOC2 Type II Report
Results of our most recent vulnerability scan
List of Tines security policies and procedures
Results of a third-party risk assessment
Due to the sensitivity of this information, we’ll send you an NDA that must be signed before issuing the security pack.
Reporting security vulnerabilities
As a security company, we have a commitment to providing a secure and trusted platform to our users. We value security researchers and others who keep a watchful eye and responsibly disclose security issues. Should you find any security vulnerabilities, we ask that you please disclose to us via our Vulnerability Disclosure Program (VDP) powered by BugCrowd.
We ask that you adhere to the following guidelines:
Do not disclose the vulnerability outside of the VDP
Do not violate any laws
Do not disrupt services (DoS/DDoS)
Do not access, modify, or destroy any accounts or data that does not belong to you
Out of Scope
HTTPS / TLS security headers suggestions
Direct testing of 3rd parties
SPF / DMARC / DKIM / DNSSEC suggestions
Social engineering / phishing / spam