You can find below our security practices in both Development (related to how we build our apps) and Infrastructure ( related to how we manage the ongoing use of our apps).
When looking into new features we have security as one of the first priorities. So we design with standard security practices in mind.
Encrypt All the Data
Encrypt all identifiable data not just when we store it but in transit between our servers and the app on the client device (end to end encryption).
Be Careful While Using Third-party Libraries
Look for common threads and fixes before any release.
Use Only the Authorized APIs
We restrict the number of APIs developers use so we can avoid data leaks.
Implement High-Level User Authentication
We use the most common and secure protocol for Authentication OAuth2 with Json web tokens.
Leverage The Principle of Least Privilege (POLP)
The principle of least privilege that dictates a code should run with only those permissions that are absolutely essential for its functioning and nothing more than that.
Test & Update Regularly
It is a never-ending process that needs to be performed on a regular basis. We test our apps every release.
We have a change management process for our infrastructure that includes source code control, peer code review, logging, and alerts for unusual behavior. All production changes are deployed with an automated system that detects reliability issues and reverts problematic deploys. Our automation allows us to safely and reliably deploy code to production dozens of times a day.
Availability and Disaster Recovery
Since our service is based entirely in the cloud, our disaster recovery plan is based on best practices from Google for maintaining resiliency in the case of disaster. We use multiple Google availability zones to safeguard against single data-center issues.
Data Encryption in Storage and Transit
We encrypt all Personally Identifiable Information (PII) in transit outside of our private network and at rest in our private network.
Tribe uses logical separation to process data in a multi-tenant environment. The code controls are tested before every production deploy. Data processing occurs in containerized environments with limited access to external resources. Services use ephemeral credentials for services to access data stores.
Tribe limits external access to network services by running them inside of a Virtual Private Cloud (VPC) and blocking all unnecessary ports from external traffic. Access to our production network is limited to necessary personnel, logged, and secured using multiple factor authentication. We use a bastion SSH host to gate all system-level access to production infrastructure.
If you have questions about Tribe's security practices, please email us at email@example.com.