Security

You can trust us for your journey to the cloud

Data ownership

You own your data. All data you upload as well as any data that is generated by our tools is owned by you. We don't claim any ownership of any data connected to you.

End-to-end encryption

AES-256 encryption keeps your data safe at rest. Whenever data is transferred, TLS v1.2 is used to secure your data in transit.

Local analysis

None of the source code or data from your database leaves your machine. The source code analysis and the database analysis happen in your own environment. Only the generated data is uploaded.

We follow industry standards and best practices to keep your data safe

Secure secret storage

We never store secrets in plain text. All secrets are encrypted and stored following industry best practices for management of cryptographic secrets.

Regular security updates

We monitor all technologies used in our products and development cycle for updates and regularly deploy security patches and updated versions.

Controlled change management

All changes to production systems are made using state of the art software for infrastructure and application deployments, following the industry best practices related to infrastructure as code.

Principle of Least Privilege

We adamantly follow the idea of least privilege access across all of our production systems. This includes minimal fine grained access control at the authorization layer and fully minimized public facing network exposure.

Regular penetration testing

We regularly conduct vulnerability scans and penetration tests both during development and in production to identify potential security issues.

All your security questions answered

Access

Can session timeout parameters be configured?

We can support a custom set timeout session at your request.

Do you support role-based access segregation?

Yes, we support role based access, based on three roles, a ‘read’ only role, a ‘write’ role, and an ‘admin’ role. The ‘admin’ role has full access to any API endpoint and UI view. The ‘write’ role is limited to only some API endpoints and views, but has access to the majority of the application. The ‘read’ role, as limited access to certain API endpoints and UI views, and can only ever lookup or access existing data, no creating, modifying or deleting data.

Which methods are supported for API access authentication and authorization?

The API requires a JSON Web Token (JWT, OAuth 2.0) to gain authorized access to the API.

Data

Who owns the data imported to and/or generated in the solution?

All data is owned by your company.

How can I extract my data from the platform?

You can access the API at any time and extract all data with out any requirement of approval or action from us.

Does the solution require direct integration with centralized source code or artifact repositories?

No, the complete analysis can be performed without any integration with source code or artifact repositories.

Is any part of my source code sent outside my environment for the analysis?

No, your source code stays inside your environment at all times.

How is my data secured at rest?

All data is stored encrypted at rest using the industry standard AES-256 encryption algorithm.

How is my data secured in transit?

We use TLS v1.2 for all communication.

Is masking and obfuscation of sensitive data supported?

Data that is secret and not meant to be shared with others we consider sensitive and mask that data within all of our logging.

What happens to my data in case of contract termination or service discontinuity?

All data can be retrieved without any permission or authorization from us. We will support you in doing so and confirm you have done so prior to removing any data. After termination of service we destroy all data and destroy all backups within 14 days.

Logging

Do you support real-time audit trail monitoring integration?

Yes, we support and use audit logging on all application access and related infrastructure. Our audit logs follow industry standards and contain minimal traceability information.

What user actions are part of the audit trails?

We log all API requests.

Are the logs generated by the products immutable?

Yes, all logs are stored encrypted in an isolated, read-only environment to minimize log access and ensure logs are immutable. We use infrastructure as code to have full audit capability in terms of log access and changes made to the log storage environment.

SLAs

Which SLAs are defined?

We provide a service level agreement of 99.5% of guaranteed availability during each annual year of service provided.

Is there an escalation process if SLAs are not met?

Yes there is. We use automated service monitoring, therefore most issues can be identified without any reporting required. The escalation process for any SLAs that are not met begins with emails to support@tidalmigrations.com, is followed by using Slack for real time communication and last is via telephone to +1 877 895 7179. Ask for ‘incident escalation’ to be connected to our Tier 3 support staff.

What happens if SLAs are not met?

If the SLA is not met we will provide a credit for the incurred outage. The credit amount given is the annual pricing amount of software agreement, divided by 525 600 multiplied by the number of minutes beyond the allowed agreement stated with the SLA. For example if the annual agreement is of the amount of $200 000 and the solution is not available for 72 hours over the year. A credit of ( (72h - 44h) * 60min/h / 525 600 minutes/year * $200 000) $639.26 for the year would be made. A

How are scheduled maintenances conducted?

We give 2 week notice for any scheduled maintenance where downtime is required. We conduct any maintenance on non business hours or days. We also rarely require to have to schedule downtime for maintenance, with our current average being roughly once every 1.5 years.

Development practices

What management processes do you have in place to manage cryptographic assets?

We follow industry standard practices with regard to cryptographic asset management. All systems used for storage of cryptographic assets are in compliance with or in the process of being validated under the FIPS 140-2 standard.

What change management process do you have in place?

We practice and follow the industry best practices of continuous delivery of software.

All changes to any production systems go through our peer-reviewed change and release process, using automation tooling and audited systems to introduce all changes. It is this rigorous release process that allows us to both respond quickly to customer feature demands, while ensuring minimal service interruptions globally.

How do you secure your own systems?

Our accounts are secured using multi-factor-authentication mechanisms. Credentials are rotated on a regular basis.

Get in Touch

Any other questions?