Our security framework uses best practices in the SaaS industry to support our objectives:
Data and information integrity. We ensure that customer information is always secure at any moment, during transit and at rest.
Continuous defense. We maintain the availability of our services by proactively minimizing any security risks through continuous penetration, vulnerability, and risk assessments.
Alignment with standards and best practices. Our security practices follow industry guidelines for cloud security.
We would be happy to share our third party penetration test (Pentest) result. Please contact our team and request a copy of the Pentest report.
Tribe's security practices apply to all members of staff, independent contractors, and anyone with direct access to our internal systems and/or unescorted access to Tribe’s office space. Before gaining initial access to systems all employees must agree to confidentiality terms and pass a background screening.
Upon termination of employment at Tribe, all access is removed immediately.
Tribe adheres to the principle of least privilege – employees are given access only to the data that they must handle in order to fulfill their current job responsibilities. Employees are granted access to a small number of internal systems upon hire, but any requests for additional access must be approved by the system owner or their direct manager.
Where possible, Tribe employs multi-factor authentication for administrative access to systems containing any sensitive data.
Third Party Service Providers
Tribe uses third party providers for some aspects of our operations. Where those organizations may impact the security of our production environment or customer data, we take appropriate steps to ensure that Tribe’s security posture is maintained. Tribe establishes agreements with all third party providers that require them to adhere to confidentiality commitments we make to our customers.
Tribe infrastructure is hosted on DigitalOcean. The DigitalOcean data centers are equipped with multiple levels of physical access barriers including:
- Outer perimeter fencing that is crash rated for vehicles
- Electronic access cards
- Video surveillance
- Internal trip lights
Technical Security Measures
Data Security & Encryption
Whether data is being transferred or stored, all customer data is secured with the latest encryption algorithms and technologies.
At rest, all data lives within our DigitalOcean infrastructure located in New York (NYC1) datacenters. All data is encrypted at rest, which means that the data on a Volume is not readable outside of its storage cluster. Additionally, we utilize LUKS encrypted disk on our volumes. This means that the disk will need to be decrypted by the operating system in order to read any data.
During transit, either externally or internally between Tribe services, data is encrypted using TLS 1.2 with AES 256 bit encryption to ensure data protection at all times. Tribe SSL certificates are issued through Let's Encrypt, and when Tribe sends data to third-party systems data is encrypted by leveraging the SSL certificates owned by our partners. All our agreements with sub-processors require that data only be transferred pursuant to Privacy Shield Certifications or mutually executed Standard Contractual Clauses.
Removable storage or hard copies (such as printed records) are not used and are strictly prohibited by our Security Policies.
Logging and Monitoring
All access to production systems is logged and monitored by Tribe’s operations team. We review and approve each request for elevated access in the production environment to ensure that it meets a legitimate business need, and this access expires automatically. Additionally, any direct system access to production servers requires a private key that has been countersigned by one of our administrative users.
Tribe is a SaaS platform that is 100% cloud-based in DigitalOcean. We do not operate our own physical servers, routers, load balancers, or DNS servers. All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from reaching our internal network. We use intrusion detection with a robust Security Information and Event Management (SIEM) system to immediately identify and respond to any threats, in coordination with 24/7 pagerduty service.
Customer data is stored in multi-tenant datastores and logically separated. Strict privacy controls exist in our application’s code to ensure data privacy and prevention of cross-customer data access. All data in our system are tagged by account and every request to our system requires account context. Any attempt to tamper with an open session results in immediate log-out and rejection of all requests.
File and Database Backups
All production database instances having streaming backups via database replicas in addition to daily full snapshots. These backups are stored in a separate DigitalOcean account which is protected by a multi-factor authentication token. File backups are streamed continuously to the same backup account for disaster recovery purposes.
Security is a critical part of our software development lifecycle (SDLC) and our processes are built to emulate OWASP standards. Tribe utilizes separated staging environments, manual code reviews, and automated static code analysis in order to verify code changes prior to deployment.
We have a continuous deployment model so our customers benefit immediately from resiliency improvements, bug fixes, and upgrades. Further, our development process enables immediate prioritization of critical updates and vulnerability remediations.
Tribe & Your Data
Tribe does not mine, store, or attempt to access any special or sensitive categories of personal data.
Tribe collects the following data:
- Contact information such as email and phone number
- Job title, biography, location, social media links, and picture
- IP addresses
- Cookie data (only for service functionality; Tribe does NOT track users across different domains/communities)
Your organization is in control of this data at all times, including how long we store your data and when we delete it. Your company also owns and have full control over users’ contributions to the community including questions, answers, posts, comments, etc.
The Tribe application has the ability to set user permissions to limit access to data export, moderation, and other features.
You may choose to integrate Tribe with the tools that your company uses to provide a seamless experience. Whether you connect Tribe to your CRM systems such as Hubspot (To pass along lead data), or Zapier (To automate processes), access is based on OAuth2 and data scopes are limited to only the necessary information for Tribe to perform its function. When integrating with analytics tools such as Amplitude, MixPanel, and Google Analytics, Tribe only sends the user’s unique ID to these platforms.
Lastly, Tribe employee access to your data is provided as necessary for customer support. Access to data is authorized by our Data Protection Officer based on the principle of least privilege and is regulated through our internal information security policies.
Tribe runs a generous bug bounty program and rewards security researchers for reporting valid vulnerabilities in the community solution.
If you have further questions, please reach out to firstname.lastname@example.org and we can provide additional detail about the security of your data.