Security at Tines

The world’s leading security teams rely on Tines to automate their mission-critical processes. They trust Tines to operate securely and to protect their data at all times. We take this trust seriously. Here you’ll find an overview of some of the measures we’ve implemented to ensure security and privacy are key tenets of our culture and are ingrained in how we operate day-to-day.

Compliance

Our information security program is aligned to the industry accepted framework, SOC2. SOC2 compliance means that a company has established and follows strict information security policies and procedures. These policies cover the security, availability, processing, integrity and confidentiality of customer data. In June 2020, we successfully completed our SOC2 Type 1 audit. Our SOC2 Type 2 audit is scheduled for late-2020.

Our compliance stance is an important part of how we protect customer data, however, we recognize that being compliant is not the same as being secure. As such, we have implemented (and will continue to implement) a range of additional security controls which provide our customers with further assurance that we are prioritizing security within the Tines product and organization.

Security in the product

We provide a number of security features within the Tines product which help ensure the confidentiality, integrity and availability of customer information.

Mandatory multifactor authentication

All user accounts within a Tines tenant enforce mandatory multifactor authentication. The second-factor is a one-time code sent to the user’s registered email address. If you require a different second-factor, we recommend enabling SSO/SAML and leveraging your existing IDP.

SSO/SAML

Tines supports SSO/SAML by default across all plans. We encourage customers to enable single-sign-on in their Tines tenant.

Single tenant architecture

Each Tines tenant is dedicated to a single customer. This means that a Tines customer never shares infrastructure, databases or encryption keys with another customer.

Granular control over data retention

We believe customer data is a liability and provide easy-to-use platform features that ensure it’s only retained in the platform for as long as is required.

Cloud or on-premise deployment

Tines is both a cloud service that we host and a product that you can host. If a customer is working under specific regulatory requirements (e.g.: FedRAMP), Tines can be easily deployed in a customer’s own data center.

Security in the organization

We place equal importance on security in the Tines product as we do on security within the Tines organization. Below is a non-exhaustive list of security measures we’ve implemented at an organizational-level.

BeyondCorp

BeyondCorp is a Zero Trust security framework that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN.

Access to production systems

We restrict access to production systems to a handful of employees. No contractors or 3rd-parties have access to production. Customer data is prohibited from leaving our production environment. The list of employees with access to production is regularly reviewed.

Security and privacy council

We have established a cross-functional group, led by the company CEO, that meets on a regular basis to discuss security and privacy matters. The agenda for security and privacy council meetings typically includes a review of recent incidents, security implications of up-coming features and on-going compliance efforts.

Awareness training

Every Tines employee undergoes security awareness training when they join and at least annually thereafter.

Security automation

We leverage security automation extensively to alert on suspicious activity across prod and corp environments.

The Tines security pack

You can request a copy of the Tines security pack by emailing security@tines.io. The security pack contains:

  • SOC2 Type 1 Report
  • Results of our most recent vulnerability scan
  • List of Tines security policies and procedures
  • Summary of most recent BCP/DR test

Due to the sensitivity of this information, we’ll send you an NDA that must be signed before issuing the security pack.

Reporting security vulnerabilities

We welcome reports from security researchers and experts about possible security vulnerabilities in our product. To report a security vulnerability in Tines, please send details to security@tines.io. We do not currently have a bug bounty program.