We are committed to keeping your data secure at Tability. Privacy and reliability are at the core of our services, and we use proven cloud providers to ensure the safety of your data.
Product
We ensure to the best of our ability that we are delivering products that are free from security defects. Additionally, we support a number of security focused features to help keep your data safe:
- Encryption: All data in transit is secured with Transport Level Security (TLS) and all API and client communications (web and mobile) require HTTPS connections. All customer data is encrypted at rest including: email addresses, passwords, API keys and 3rd party integration keys.
- Authentication: All Tability workspaces support both 2FA access and SSO through Google Apps. You can also enfore the use SAML authentication to manage access to your workspace.
- IP and email domain restrictions: Customers on the Premium plans can restrict access to their workspace to specific IPs or email domains.
- Permanent deletion: Users can delete data related to their account and workspace if they have the correct permissions. Data can be restored for up to 7 days before it is permanently deleted, and it can take up to 14 days for all data to be deleted from our systems.
Infrastructure & Operational Practices
Tability's backend is hosted on Heroku. Heroku's physical infrastructure is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Tability's web application is hosted on Netlify and we're using Cloudflare as a CDN.
For more specific details regarding Heroku security, please refer to https://www.heroku.com/policy/security/.
For more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.
For more specific details regarding Netlify security, please refer to https://www.netlify.com/security/.
For more specific details regarding Cloudflare security, please refer to https://www.cloudflare.com/products/security/.
- Hosting and storage: Tability services and data are hosted in the United States.
- Backups: We use Heroku's Continuous Protection to backup customer data, which allows us to restore the database any point of time in the past 4 days. We also do daily logical backups retained for the last 7 days.
- Vulnerability scanning: We run automated vulnerability scans as part of our continuous delivery process.
Reliability
We strive for a 99.9% uptime across all our products and to support that, we host our monitoring and logging systems outside of our production to ensure continuity of reporting if our systems are impacted by an incident.
Compliance
- PCI DSS: All payments made to us go through our payments provider, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.
Security Controls
- Software development: Tability's software development practices follow OWASP's guidelines, protecting against common attacks.
- Immutable infrastructure: We do not make changes to live code or production servers. We treat our infrastructure as code whenever possible, and changes go through automated testing and deployment processes.
- Continuous delivery: We use continuous integration and automated deployments to build, test and release code multiple times a day.
- Incident response: We have monitoring tools in place to notify the team of any security or availability incidents immediately. These monitoring tools are hosted independently from our production systems.
- Access to customer data: Sensitive customer data can only be accessed by a selected group of individuals on our team. If it's necessary for the team to access sensitive customer data, we will only do so only after receiving written permission from the customer via email.
MDM enrollment for employee devices
All employees use a company issued laptop managed via a MDM (Kandji) to automate security and compliance.
Penetration testing
Tability runs yearly penetration tests performed by an independent security research team.
Vulnerability disclosure
We have an open vulnerability disclosure program detailed here.
