Trust and Security
We are committed to keeping your data secure at Tability. Privacy and reliability are at the core of our services, and we use proven cloud providers to ensure the safety of your data.
Product
We ensure to the best of our ability that we are delivering products that are free from security defects. Additionally, we support a number of security focused features to help keep your data safe:
Encryption: All data in transit is secured with Transport Level Security (TLS) and all API and client communications (web and mobile) require HTTPS connections. All customer data is encrypted at rest including: email addresses, passwords, API keys and 3rd party integration keys.
Authentication: All Tability workspaces support both 2FA access and SSO through Google Apps. You can also enforce the use of SAML authentication to manage access to your workspace.
IP and email domain restrictions: Customers on the Premium plans can restrict access to their workspace to specific IPs or email domains.
Permanent deletion: Users can delete data related to their account and workspace if they have the correct permissions. Data can be restored for up to 7 days before it is permanently deleted, and it can take up to 14 days for all data to be deleted from our systems.
Data residency
By default, Tability hosts customer data in the US region. However, we understand the importance of regional data compliance and offer optional data residency in the EU or Australia for customers with specific requirements.
If you’re interested in regional hosting options, please contact us at sales@tability.io to discuss your requirements.
Infrastructure and Operational Practices
Tability's backend is hosted on Heroku. Heroku's physical infrastructure is hosted and managed within Amazon's secure data centres and utilises the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Tability's web application is hosted on Netlify and we're using Cloudflare as a CDN.
Hosting and storage: Tability services and data are hosted in the United States.
Vulnerability scanning: We run automated vulnerability scans as part of our continuous delivery process.
Backups
We use Heroku's Continuous Protection to backup customer data, which allows us to restore the database any point of time in the past 4 days. We also do daily logical backups retained for the last 7 days
Data Encryption and Retention
All data, including backups, is encrypted at-rest using AES-256 encryption.
Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.
Users can delete their entire Tability workspace if they have the correct access rights. This will delete all data that you have provided to Tability. It can take up to 60 days for all data to be removed from backups.
Following the cancellation of a Tability subscription, you will have at least 30 days to download your customer data from Tability. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.
Tability reserves the right to, upon prior written notice to Customer, delete accounts for Free subscriptions (and all Customer Data contained therein) that have been inactive for more than 180 days.
Performance and Reliability
Tability is designed for high availability and responsive performance across global regions. We aim to maintain 99.9% uptime across all products and continuously monitor the health of our systems to proactively address issues before they impact users.
To ensure reliability:
We host our monitoring and logging systems outside of production infrastructure to maintain visibility during incidents.
We use distributed content delivery via Cloudflare to reduce latency and improve load times worldwide.
Our infrastructure is built on scalable cloud services (Heroku, AWS, Netlify) to handle varying load with minimal degradation.
We deploy updates through a continuous delivery pipeline, enabling rapid fixes and performance improvements without downtime.
Compliance
SOC2 Type 1 Tability has successfully completed a SOC 2 Type 1 audit with ongoing automated monitoring of controls, policies and infrastructure powered by Drata.
PCI DSS All payments made to us go through our payments provider, Stripe. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.
GDPR We have established and closely follow internal controls and policies that address the requirements of that regulation in so far as they apply to Tability.
Security Controls
Software development: Tability's software development practices follow OWASP's guidelines, protecting against common attacks.
Immutable infrastructure: We do not make changes to live code or production servers. We treat our infrastructure as code whenever possible, and changes go through automated testing and deployment processes.
Continuous delivery: We use continuous integration and automated deployments to build, test and release code multiple times a day.
Incident response: We have monitoring tools in place to notify the team of any security or availability incidents immediately. These monitoring tools are hosted independently from our production systems.
Access to customer data: Sensitive customer data can only be accessed by a selected group of individuals on our team. If it's necessary for the team to access sensitive customer data, we will only do so only after receiving written permission from the customer via email.
MDM enrollment for employee devices
All employees use a company issued laptop managed via a MDM (Kandji) to automate security and compliance.
Penetration testing
Tability runs yearly penetration tests performed by an independent security research team.
Vulnerability disclosure
Contact us
If you have any questions, please email us at security@tability.io
Last updated
