Our commitment to security
Infrastructure security
Product security
Application security monitoring
Organizational security and internal security procedures
Incident response & disaster recovery
Data and privacy
Responsible disclosure
Cloud infrastructure: Taktile's services are entirely run in the cloud, meaning we do not operate or maintain our own servers. Instead, we utilize Amazon Web Services (AWS) for our infrastructure, which allows us to enable our customers in every geography. AWS maintains the highest standards for security and is rated as the leader in cloud security by research firm Forrester. All data centers are in compliance with the highest industry standards including SOC 2 Type II and ISO 27001. AWS also has world-class monitoring and alerting systems in place.
Network security: We use a virtual private cloud and segregate private and public traffic in different subnets. Our production infrastructure is kept separate from our development infrastructure (both different accounts and networks). We restrict ports and monitor our network settings on an ongoing basis through automated scans. We also employ an Intrusion Detection System to identify suspicious activity.
Strong isolation of customer workloads: Since we allow decision authors to execute code on our infrastructure, we have invested in robust separation between customers, both for compute and storage. We create dedicated workspaces where decisions are executed (via AWS Lambda) and stored (via AWS S3). Customers do not share cloud functions or storage buckets. We only use multi-tenant infrastructure for operations that do not involve customers’ decision data (e.g. user management). Data is always associated with one customer and authentication checks are required for access.
Data encryption: Data that is captured, stored or processed by Taktile is encrypted when in transit over public networks or at rest. Specifically, we encrypt data that is transmitted over public networks using Transport Layer Security (TLS 1.2). Our data storage is encrypted at rest using industry-standard encryption methods. For customer-specific infrastructure that houses decision data, we use AWS’s Key Management System to create and manage customer-specific encryption keys.
Access control: We connect to customers’ single sign on providers (SSO) and do not manage credentials. This allows customers to reuse their own authentication provider and automatically enforce their own security controls such as password complexity requirements and two-factor authentication (2FA). The product supports role-based access control (RBAC) to manage permissions.
Vulnerability scanning: We use vulnerability scanners to automatically scan our cloud infrastructure, container images, dependencies, as well as static application scanning for enforcing best practices.
Intrusion detection: We employ an intrusion detection solution (IDS) to detect unauthorized access to our systems.
Audit trails: We log relevant events on our infrastructure (via AWS Cloud Trail) and collect detailed application logs in order to track activity on our platform.
Secure development practices: We follow security best practices when developing our applications (such as OWASP Top 10). All code changes undergo a code mandatory review that includes checking the code for security issues. In addition, we use Static Application Security Testing (SAST) to detect weaknesses in our codebase. We also scan code dependencies for known vulnerabilities.
External penetration testing: We conduct annual penetration tests with third-party security experts to ensure that our systems are not accessible by malicious actors.
Employee access: We follow the Principle of Least Privilege and minimize employee access to production data. Access rights are given out by administrators through a ticketing process to ensure that we can track the permissioning process. In addition, we collect audit trails related to our data infrastructure to track changes by employees. All employees have to complete a data security and privacy training and sign our Access Control Policy.
Incident response: Our team is on call 24/7 to respond to automated alerts, as well as critical issues reported by customers. We have an incident response plan in place and regularly train our employees in incident response.
Business continuity and disaster recovery: Taktile maintains a Business Continuity Policy (BC) as well as a Disaster Recovery Policy (DR). We conduct annual tests to walk through how our business would respond and maintain consistent operations in different crisis scenarios. We keep daily backups of all production systems in order to be able to restore data in a timely manner.
GDPR and other privacy regulations: We are committed to protecting customer data and helping customers comply with local laws and regulations. Taktile is GDPR compliant and acts as a Data Processor, as outlined in our Data Processing Agreement (DPA). If you would like to see a copy of our DPA, please reach out to your Account Executive.
Regionalized infrastructure to keep sensitive data local: We keep sensitive customer information that flows through our systems as part of the decisioning process in our customers’ preferred AWS region in order to help our customers satisfy their data locality obligations.
Information and deletion requests: We have identifiers in place in order to trace sensitive customer information within our systems and we can retrieve or delete information upon request in order to help our customers satisfy their privacy-related obligations.
Vulnerabilities inbox: You can responsibly disclose vulnerabilities by emailing security@taktile.com. Please include the criticality of the vulnerability and enough detail for us to verify the vulnerability. We will offer non-monetary rewards at our discretion.
If you have questions regarding our security or privacy practices or policies, please reach out to your Account Executive or via security@taktile.com.