We ensure to the best of our ability that we are delivering products that are free from security defects. Additionally, we support a number of security focused features to help keep your data safe:
Encryption: All data in transit is secured with Transport Level Security (TLS) and all API and client communications (web and mobile) require HTTPS connections. All customer data is encrypted at rest including: email addresses, passwords, API keys and 3rd party integration keys.
Authentication: All Tability workspaces support both 2FA access and SSO through Google Apps. Workspaces on the Teams, Business and Unlimited plans can also enforce the use of 2FA or use SAML authentication to manage access to their workspace.
IP and email domain restrictions: Customers on the Teams, Business and Unlimited plans can restrict access to their workspace to specific IPs or email domains.
Permanent deletion: Users can delete data related to their account and workspace if they have the correct permissions. Data can be restored for up to 7 days before it is permanently deleted, and it can take up to 14 days for all data to be deleted from our systems.
Tability's backend is hosted on Heroku. Heroku's physical infrastructure is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Tability's web application is hosted on Amazon S3, using Cloudfront to manage the distribution.
For more specific details regarding Heroku security, please refer to https://www.heroku.com/policy/security/.
For more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.
Hosting and storage: Tability services and data are hosted in the United States.
Backups: We use Heroku's Continuous Protection to backup customer data, which allows us to restore the database any point of time in the past 4 days. We also do daily logical backups retained for the last 7 days.
Vulnerability scanning: We run automated vulnerability scans as part of our continuous delivery process.
We strive for a 99.9% uptime across all our products and to support that, we host our monitoring and logging systems outside of our production to ensure continuity of reporting if our systems are impacted by an incident.
PCI DSS: All payments made to us go through our payments provider, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.
Privacy: Tability adheres to the EU/US and EU/Switzerland Privacy Shield frameworks and will comply with the EU General Data Protection Regulation (GDPR).
Software development: Tability's software development practices follow OWASP's guidelines, protecting against common attacks.
Immutable infrastructure: We do not make changes to live code or production servers. We treat our infrastructure as code whenever possible, and changes go through automated testing and deployment processes.
Continuous delivery: We use continuous integration and automated deployments to build, test and release code multiple times a day.
Incident response: We have monitoring tools in place to notify the team of any security or availability incidents immediately. These monitoring tools are hosted independently from our production systems.
Access to customer data: Sensitive customer data can only be accessed by a select group of individuals on our team. If it's necessary for the team to access sensitive customer data, we will only do so only after receiving written permission from the customer via email.