Our information security program is aligned to the industry accepted framework, SOC2. SOC2 compliance means that a company has established and follows strict information security policies and procedures. These policies cover the security, availability, processing, integrity and confidentiality of customer data. We maintain SOC Type II compliance and are audited annually.
Our compliance stance is an important part of how we protect customer data, however, we recognize that being compliant is not the same as being secure. As such, we have implemented (and will continue to implement) a range of additional security controls which provide our customers with further assurance that we are prioritizing security within the Tines product and organization.
We provide a number of security features within the Tines product which help ensure the confidentiality, integrity and availability of customer information.
All user accounts within a Tines tenant enforce mandatory multifactor authentication. The second-factor is a one-time code sent to the user’s registered email address. If you require a different second-factor, we recommend enabling SSO/SAML and leveraging your existing IDP.
Tines supports SSO/SAML by default across all plans. We encourage customers to enable single-sign-on in their Tines tenant.
We believe customer data is a liability and provide easy-to-use platform features that ensure it’s only retained in the platform for as long as is required.
Tines is both a cloud service that we host and a product that you can host. If a customer is working under specific regulatory requirements (e.g.: FedRAMP), Tines can be easily deployed in a customer’s own data center.
We place equal importance on security in the Tines product as we do on security within the Tines organization. Below is a non-exhaustive list of security measures we’ve implemented at an organizational-level.
BeyondCorp is a Zero Trust security framework that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN.
We restrict access to production systems to a handful of employees. No contractors or 3rd-parties have access to production. Customer data is prohibited from leaving our production environment. The list of employees with access to production is regularly reviewed.
We have established a cross-functional group, led by the company CEO, that meets on a regular basis to discuss security and privacy matters. The agenda for security and privacy council meetings typically includes a review of recent incidents, security implications of up-coming features and on-going compliance efforts.
Every Tines employee undergoes security awareness training when they join and at least annually thereafter.
We leverage security automation extensively to alert on suspicious activity across prod and corp environments.
You can request a copy of the Tines security pack by completing this form. The security pack includes:
Due to the sensitivity of this information, we’ll send you an NDA that must be signed before issuing the security pack.
We welcome reports from security researchers and experts about possible security vulnerabilities in our product. To report a security vulnerability in Tines, please send details to firstname.lastname@example.org. We do not currently have a bug bounty program.