Data Security
Below is information about our data security. Let us know if you have any questions by emailing support@tribepool.co.
Overview
At Tribe we want our users to feel that we are handling their sensitive data respectfully, carefully and with best security practices in mind. Our Privacy Policy details how we use the information given to us while this page explains how we take care to follow secure practices in building and maintaining our technology to protect our users' information.
You can find below our security practices in both Development (related to how we build our apps) and Infrastructure ( related to how we manage the ongoing use of our apps).
Development
When looking into new features we have security as one of the first priorities. So we design with standard security practices in mind.
Encrypt All the Data
Encrypt all identifiable data not just when we store it but in transit between our servers and the app on the client device (end to end encryption).
Be Careful While Using Third-party Libraries
Look for common threads and fixes before any release.
Use Only the Authorized APIs
We restrict the number of APIs developers use so we can avoid data leaks.
Implement High-Level User Authentication
We use the most common and secure protocol for Authentication OAuth2 with Json web tokens.
Leverage The Principle of Least Privilege (POLP)
The principle of least privilege that dictates a code should run with only those permissions that are absolutely essential for its functioning and nothing more than that.
Test & Update Regularly
It is a never-ending process that needs to be performed on a regular basis. We test our apps every release.
Infrastructure
Change Management
We have a change management process for our infrastructure that includes source code control, peer code review, logging, and alerts for unusual behavior. All production changes are deployed with an automated system that detects reliability issues and reverts problematic deploys. Our automation allows us to safely and reliably deploy code to production dozens of times a day.
Availability and Disaster Recovery
Since our service is based entirely in the cloud, our disaster recovery plan is based on best practices from Google for maintaining resiliency in the case of disaster. We use multiple Google availability zones to safeguard against single data-center issues.
Data Encryption in Storage and Transit
We encrypt all Personally Identifiable Information (PII) in transit outside of our private network and at rest in our private network.
Data Isolation
Tribe uses logical separation to process data in a multi-tenant environment. The code controls are tested before every production deploy. Data processing occurs in containerized environments with limited access to external resources. Services use ephemeral credentials for services to access data stores.
Network Isolation
Tribe limits external access to network services by running them inside of a Virtual Private Cloud (VPC) and blocking all unnecessary ports from external traffic. Access to our production network is limited to necessary personnel, logged, and secured using multiple factor authentication. We use a bastion SSH host to gate all system-level access to production infrastructure.
If you have questions about Tribe's security practices, please email us at support@tribepool.co.