Our security framework uses best practices in the SaaS industry to support our objectives:
Data and information integrity. We ensure that customer information is always secure at any moment, during transit and at rest.
Continuous defense. We maintain the availability of our services by proactively minimizing any security risks through continuous penetration, vulnerability, and risk assessments.
Alignment with standards and best practices. Our security practices follow industry guidelines for cloud security.
Tribe & Your Data
Tribe does not mine, store, or attempt to access any special or sensitive categories of personal data.
Tribe collects the following data:
- Contact information such as email and phone number
- Job title, biography, location, social media links, and picture
- IP addresses
- Cookie data (only for service functionality; Tribe does NOT track users across different domains/communities)
Your organization is in control of this data at all times, including how long we store your data and when we delete it. Your company also owns and have full control over users’ contributions to the community including questions, answers, posts, comments, etc.
The Tribe application has the ability to set user permissions to limit access to data export, moderation, and other features.
You may choose to integrate Tribe with the tools that your company uses to provide a seamless experience. Whether you connect Tribe to your CRM systems such as Hubspot (To pass along lead data), or Zapier (To automate processes), access is based on OAuth2 and data scopes are limited to only the necessary information for Tribe to perform its function. When integrating with analytics tools such as Amplitude, MixPanel, and Google Analytics, Tribe only sends the user’s unique ID to these platforms.
Lastly, Tribe employee access to your data is provided as necessary for customer support. Access to data is authorized by our Data Protection Officer based on the principle of least privilege and is regulated through our internal information security policies.
Data Security & Encryption
Whether data is being transferred or stored, all customer data is secured with the latest encryption algorithms and technologies.
At rest, all data lives within our DigitalOcean infrastructure located in New York (NYC1) datacenters. All data is encrypted at rest, which means that the data on a Volume is not readable outside of its storage cluster. Additionally, we utilize LUKS encrypted disk on our volumes. This means that the disk will need to be decrypted by the operating system in order to read any data.
During transit, either externally or internally between Tribe services, data is encrypted using TLS 1.2 with AES 256 bit encryption to ensure data protection at all times. Tribe SSL certificates are issued through Let's Encrypt, and when Tribe sends data to third-party systems data is encrypted by leveraging the SSL certificates owned by our partners. All our agreements with sub-processors require that data only be transferred pursuant to Privacy Shield Certifications or mutually executed Standard Contractual Clauses.
Removable storage or hard copies (such as printed records) are not used and are strictly prohibited by our Security Policies.
Tribe is a SaaS platform that is 100% cloud-based in DigitalOcean. We do not operate our own physical servers, routers, load balancers, or DNS servers. All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from reaching our internal network. We use intrusion detection with a robust Security Information and Event Management (SIEM) system to immediately identify and respond to any threats, in coordination with 24/7 pagerduty service.
Customer data is stored in multi-tenant datastores and logically separated. Strict privacy controls exist in our application’s code to ensure data privacy and prevention of cross-customer data access. All data in our system are tagged by account and every request to our system requires account context. Any attempt to tamper with an open session results in immediate log-out and rejection of all requests.
File and Database Backups
All production database instances having streaming backups via database replicas in addition to daily full snapshots. These backups are stored in a separate DigitalOcean account which is protected by a multi-factor authentication token. File backups are streamed continuously to the same backup account for disaster recovery purposes.
Security is a critical part of our software development lifecycle (SDLC) and our processes are built to emulate OWASP standards. Tribe utilizes separated staging environments, manual code reviews, and automated static code analysis in order to verify code changes prior to deployment.
We have a continuous deployment model so our customers benefit immediately from resiliency improvements, bug fixes, and upgrades. Further, our development process enables immediate prioritization of critical updates and vulnerability remediations.
If you have further questions, please reach out to email@example.com and we can provide additional detail about the security of your data.
Where am I?
In Tribe you can ask and answer questions and share your experience with others!