Security & Compliance

Tilt is committed to keeping our Customers’ data private and secure. We implement security and privacy controls, policies and measures throughout our operations and system architecture. This fact sheet describes our security and privacy controls, policies and measures.

Security and Privacy Features

Tilt is built upon a robust cloud infrastructure and is hosted within Amazon Web Services (AWS). When data is sent to us, it is protected. Tilt completed our first SOC 2 Type ll audit in June 2022 and our SOC 2 report is ready to review upon request.

Organizational Controls

Tilt maintains a corporate Information Security program with a dedicated budget and team that covers the entire scope of its operations. Key features include:

  • An information security and privacy strategy, including goals and objectives, is adhered to and updated on a regular basis.
  • All security documentation, including policies and procedures, is kept up to date.
  • Team members receive security awareness training on a regular basis.
  • Whistleblower, complaint and incident reporting processes are available for team members and external users to report issues.

Business Continuity

The Tilt platform is protected against failures through multiple resilience and backup protocols.

  • Data, including customer data, is backed up on a continuous basis.
  • Tilt maintains business continuity and disaster recovery plans, which are tested annually to ensure ongoing effectiveness.
  • Alerts are configured to notify the security team of potential security threats, performance of network infrastructure, and service issues.
  • Service outages are quickly recorded and resolved.
  • The company maintains baselines for capacity management and tracks/forecasts against those baselines.

Change Management

Tilt maintains formal change management and software development life cycle policies that define procedures and requirements for developing, testing and implementing application and infrastructure changes.

  • System and platform changes are authorized, documented, tested, reviewed and approved.
  • Patching of systems is conducted on a regular basis.
  • Separation of duties is implemented so that all changes must undergo review prior to deployment.
  • All changes to production systems are logged and monitored.

Data Protection

Tilt maintains robust defensive and hardening measures to ensure the security of its systems and data.

Data Retention and Disposal

  • Tilt maintains formal data retention and disposal procedures to ensure that secure disposal of corporate and customer data is completed correctly and consistently.
  • If a customer’s contract is terminated or not renewed, all customer data is packaged and sent to the customer so that they may opt to retain it. Data is removed from Tilt systems within 12 months of contract termination or non-renewal.

Encryption

  • Our encryption leverages commonly-used protocols and standards, such as the Advanced Encryption Standard (AES). 
  • All traffic between our platform and external systems is encrypted with at least 256-bit AES encryption.
  • All information stored in our database is fully encrypted.
  • Encryption keys are managed via AWS Key Management technology.

Monitoring

  • Security information and event management (SIEM) software is in place to aggregate and analyze security events.
  • Monitoring systems collect, aggregate and alert upon multiple types of system events, including but not limited to system and data access (including privileged access), changes to infrastructure, network activity, system resources usage and capacity.

Network Security

  • Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) are configured to detect and prevent potentially malicious traffic from entering the network.
  • System firewalls are maintained, with configuration rules reviewed semi-annually.

Physical and Environmental Infrastructure

  • Tilt is hosted in AWS, and inherits security capabilities and services that increase privacy and security. These benefits are passed on to our customers. AWS provides:
    • A robust set of physical and environmental security controls that protect information hosted in AWS data centers.
    • Network and web application firewall capabilities used to tightly control access to networks, servers and applications.
    • High levels of availability and resilience.
    • Reliability and protection against threats such as Distributed Denial-of-Service (DDoS) attacks.

Incident Management

Tilt maintains formal processes for responding, handling and tracking security incidents. After incidents are confirmed, Tilt immediately implements a containment process to reduce the magnitude of the incident and track to resolution. Incident response plans are tested annually to ensure ongoing effectiveness.

Logical Access Control

Tilt maintains robust access control policies and procedures to ensure that all corporate and customer data is protected from unauthorized access.

  • Access to Tilt systems is granted based on a team member’s need to know, which is derived from their job responsibilities. Access is immediately removed upon team member separation or when no longer needed.
  • All access to systems follows the least privilege concept, with team members only having access rights that are specifically needed.
  • Tilt performs access reviews on a regular basis to validate access based on need to know and least privilege.
  • The company leverages password complexity and multi-factor authentication requirements for login to its systems.

Risk Management

Tilt leverages a formal risk management process that informs the security controls, policies and measures that are implemented. Risk assessments are performed on a regular basis, and identify key threat and vulnerability scenarios concerning data processing, internal controls, business objectives, fraud, technology environments and regulatory landscapes.

Tilt carries various forms of insurance as part of its risk management program.

Further, Tilt also performs external penetration testing and vulnerability scanning on a periodic basis. Critical vulnerabilities are assessed by management and remediation is tracked closely.

Vendor Management

To ensure the integrity of its supply chain, Tilt maintains strict vendor management protocols.

  • Vendor services and relationships are considered as part of risk management processes.
  • Updates and modifications to vendor terms and contracts are reviewed and approved prior to execution.
  • Critical vendors are reviewed on a periodic basis.
  • Tilt maintains procurement procedures for the purchase, development, and maintenance of information systems, system components, or information system services from technology suppliers.

Compliance and Certifications

SOC 2

Tilt maintains an information security program that meets the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC) for security. Tilt completed SOC 2 Type ll audit and report in June 2022.

Contact the Security Team

For questions about Tilt’s security and privacy program, or to report a concern or potential incident, contact our team at security@ourtilt.com.