Security & Compliance

Here’s how we ensure the security of your data:

Data Encryption

• At Rest: We use AES-256 encryption to protect your data stored on our systems.
• In Transit: All data is encrypted using TLS 1.2 or higher during transmission.

Access Controls

• Multi-Factor Authentication (MFA): Required for all privileged accounts to strengthen security.
• Role-Based Access Control (RBAC): Access is granted based on roles and responsibilities.
• Least Privilege Principle: Access is limited to the minimum necessary for each role.
• Controlled Employee Access: Access to customer data by employees is limited to a subset with clear roles in support, development, and security.

Monitoring and Logging

• Continuous monitoring and logging of security events, including data access and privileged account activity.
• Logs are securely retained for a minimum of 12 months for auditing and forensic purposes.

Vulnerability Management

• Continuous cloud security posture management and regular code scanning.
• Annual penetration testing of our applications and infrastructure.
• Prompt remediation of vulnerabilities within defined timeframes. Exceptions require approval from senior leadership.

Incident Response

• Robust Incident Response Plan to address security incidents.
• If a breach involving customer data occurs, we notify affected customers within three business days and provide timely updates.

Compliance

• SOC 2 Type II: Tilt undergoes an annual audit by an independent third-party auditor.
• Penetration Testing: Annual testing performed by trusted external partners.

Data Backup and Recovery

• Regular backups with tested recovery processes ensure data restoration within 24 hours.
• Backups are stored securely across multiple locations for redundancy.