# Trust and Security We are committed to keeping your data secure at Tability. Privacy and reliability are at the core of our services, and we use proven cloud providers to ensure the safety of your data. ## Product We ensure to the best of our ability that we are delivering products that are free from security defects. Additionally, we support a number of security focused features to help keep your data safe: * **Encryption:** All data in transit is secured with Transport Level Security (TLS) and all API and client communications (web and mobile) require HTTPS connections. All customer data is encrypted at rest including: email addresses, passwords, API keys and 3rd party integration keys. * **Authentication:** All Tability workspaces support both 2FA access and SSO through Google Apps. You can also enforce the use of SAML authentication to manage access to your workspace. * **IP and email domain restrictions:** Customers on the Premium plans can restrict access to their workspace to specific IPs or email domains. * **Permanent deletion:** Users can delete data related to their account and workspace if they have the correct permissions. Data can be restored for up to 7 days before it is permanently deleted, and it can take up to 14 days for all data to be deleted from our systems. ## Data residency {% hint style="info" %} Regional hosting in the **EU or AU** is available **on request** and is subject to a **minimum user threshold of 100 users.** This ensures we can maintain the same level of performance, security, and support across all regions. {% endhint %} By default, Tability hosts customer data in the **US region**. However, we understand the importance of regional data compliance and offer **optional data residency in the EU or Australia** for customers with specific requirements. If you’re interested in regional hosting options, please contact us at to discuss your requirements. ## Infrastructure and Operational Practices Tability's backend is hosted on Heroku. Heroku's physical infrastructure is hosted and managed within Amazon's secure data centres and utilises the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Tability's web application is hosted on Netlify and we're using Cloudflare as a CDN. For more specific details regarding Heroku security, please refer to[ https://www.heroku.com/policy/security/](https://www.heroku.com/policy/security/). For more specific details regarding AWS security, please refer to[ https://aws.amazon.com/security/](https://aws.amazon.com/security/). For more specific details regarding Netlify security, please refer to[ https://www.netlify.com/security/](https://www.netlify.com/security/). For more specific details regarding Cloudflare security, please refer to[ https://www.cloudflare.com/products/security/](https://www.cloudflare.com/products/security/). * Hosting and storage: Tability services and data are hosted in the United States. * Vulnerability scanning: We run automated vulnerability scans as part of our continuous delivery process. ## Backups We use Heroku's Continuous Protection to backup customer data, which allows us to restore the database any point of time in the past 4 days. We also do daily logical backups retained for the last 7 days ## Data Encryption and Retention All data, including backups, is encrypted at-rest using AES-256 encryption. Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2. Users can delete their entire Tability workspace if they have the correct access rights. This will delete all data that you have provided to Tability. It can take up to 60 days for all data to be removed from backups. Following the cancellation of a Tability subscription, you will have at least 30 days to download your customer data from Tability. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period. Tability reserves the right to, upon prior written notice to Customer, delete accounts for Free subscriptions (and all Customer Data contained therein) that have been inactive for more than 180 days. ## Performance and Reliability Tability is designed for high availability and responsive performance across global regions. We aim to maintain **99.9% uptime** across all products and continuously monitor the health of our systems to proactively address issues before they impact users. To ensure reliability: * We host our monitoring and logging systems **outside of production infrastructure** to maintain visibility during incidents. * We use **distributed content delivery via Cloudflare** to reduce latency and improve load times worldwide. * Our infrastructure is built on **scalable cloud services** (Heroku, AWS, Netlify) to handle varying load with minimal degradation. * We deploy updates through a **continuous delivery pipeline**, enabling rapid fixes and performance improvements without downtime. You can view real-time system status and historical uptime at . ## Compliance
**SOC2 Type 2**\ Tability has successfully completed a SOC 2 Type 2 audit with ongoing automated monitoring of controls, policies and infrastructure powered by Drata.
**PCI DSS**\ All payments made to us go through our payments provider, Stripe. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.
**GDPR**\ We have established and closely follow internal controls and policies that address the requirements of that regulation in so far as they apply to Tability. ## Security Controls * **Software development:** Tability's software development practices follow OWASP's guidelines, protecting against common attacks. * **Immutable infrastructure:** We do not make changes to live code or production servers. We treat our infrastructure as code whenever possible, and changes go through automated testing and deployment processes. * **Continuous delivery:** We use continuous integration and automated deployments to build, test and release code multiple times a day. * **Incident response:** We have monitoring tools in place to notify the team of any security or availability incidents immediately. These monitoring tools are hosted independently from our production systems. * **Access to customer data:** Sensitive customer data can only be accessed by a selected group of individuals on our team. If it's necessary for the team to access sensitive customer data, we will only do so only after receiving written permission from the customer via email. ## MDM enrollment for employee devices All employees use a company issued laptop managed via a MDM (Kandji) to automate security and compliance. ## Penetration testing Tability runs yearly penetration tests performed by an independent security research team. ## Vulnerability disclosure We have an open vulnerability disclosure program detailed[ here](/legals/vulnerability-disclosure-policy.md). ## Contact us If you have any questions, please email us at --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guides.tability.io/legals/trust-and-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.