Security & Compliance

TIDALBAY is designed with security at its foundation. This document outlines our security architecture, data handling practices, and compliance certifications.

Data Encryption

All data is encrypted both in transit and at rest:

  • In transit: TLS 1.3 for all API and web traffic
  • At rest: AES-256 encryption for all stored data
  • Database: Transparent data encryption (TDE) enabled
  • Backups: Encrypted with separate key management

Authentication & Access Control

TIDALBAY supports enterprise authentication standards:

  • SSO: SAML 2.0 and OpenID Connect
  • MFA: Required for all admin accounts
  • RBAC: Role-based access control with configurable permissions
  • API Keys: Scoped API keys with rate limiting
  • Session Management: Configurable session timeouts and concurrent session limits
SSO Configuration
For SSO setup instructions, contact your TIDALBAY account manager or visit Support.

Infrastructure

TIDALBAY runs on enterprise-grade cloud infrastructure:

  • Hosting: AWS with multi-AZ deployment
  • Availability: 99.99% uptime SLA (Enterprise)
  • Regions: US, EU, and APAC data residency options
  • Disaster Recovery: RPO < 1 hour, RTO < 4 hours
  • Network: VPC isolation, WAF, DDoS protection

Compliance Certifications

CertificationStatusScope
SOC 2 Type IICertifiedSecurity, Availability, Confidentiality
ISO 27001CertifiedInformation Security Management
GDPRCompliantEU data protection requirements
HIPAACompliantHealthcare data (BAA available)
CCPACompliantCalifornia consumer privacy
Compliance Reports
SOC 2 reports and other compliance documentation are available under NDA. Contact security@tidalbay.com to request access.

Data Handling

Data Collected

TIDALBAY processes security event data from connected integrations:

  • Authentication events (login attempts, MFA usage)
  • Email security events (phishing reports, suspicious emails)
  • Endpoint events (malware detections, policy violations)
  • Training completion records
  • Employee directory information (name, email, department)

Data Retention

  • Event data: Configurable retention (default: 12 months)
  • Score history: Retained for the duration of the subscription
  • Audit logs: 24 months minimum
  • Deleted data: Purged within 30 days of deletion request

Vulnerability Management

TIDALBAY maintains a comprehensive vulnerability management program:

  • Regular penetration testing by independent third parties
  • Automated vulnerability scanning (daily)
  • Bug bounty program for responsible disclosure
  • Security patches applied within 24 hours for critical vulnerabilities

Incident Response

Our incident response process follows industry best practices:

  1. Detection: 24/7 monitoring with automated alerting
  2. Response: Security team engaged within 15 minutes
  3. Notification: Customer notification within 72 hours per GDPR requirements
  4. Resolution: Root cause analysis and remediation
  5. Review: Post-incident review and process improvements
Security Inquiries
For security questions or to report a vulnerability, contact our security team at security@tidalbay.com.