TINYpulse Security and Compliance

GDPR

At TINYpulse, we have always taken security and privacy of data seriously from the beginning. With the EU General Data Protection Regulation (GDPR) becoming effective on May 25, 2018, we have worked to update our policies and practices to align with the new GDPR requirements and principles. GDPR specific updates can be found at the following links, or you can contact us at privacy@tinypulse.com for additional information.

Privacy Policy provides updated notice regarding data subject rights, and our online form to assist in responding to data subject access requests.

Data Processing Addendum is available for our Subscribers and Vendors.

Below is a high-level description of the technical and organizational measures TINYpulse has implemented to ensure a level of security appropriate to the risks as required by GDPR Article 32.

Culture of Security

We've been security-minded since day one, putting security first in every step of the development lifecycle. Our entire TINYpulse product team has been through security training and holds one another's work accountable through regular code reviews, penetration tests, and vulnerability scans.

• Whole-disk encryption
• Access controls at per-thread granularity
• Whitelisting of individual processes, users, ports, and addresses
• AES 256 encryption
• Regular penetration tests and vulnerability scans
• A strong Software Development Lifecycle (SDLC)

Certifications and Compliance

Our internationally recognized certifications speak volumes about TINYpulse's commitment to data security.

TINYpulse is a native cloud application and uses AWS technologies. AWS's data center operations have been accredited under:

Physical Security, Logical Data Separation, and Encryption

TINYpulse operates in ISO-certified workrooms with PCI DSS Service Level 1 compliance. We keep data logically separate and tag all data by organization throughout the lifecycle. No data is transmitted to TINYpulse without encryption. AES 256-bit encryption protects all data at rest, and spinning disks are encrypted at the OS level. Data is kept for long term on Amazon S3, encrypted by a customer key that is changed every 24 hours.

User-Level Security

TINYpulse maintains stringent password standards. A secure session ID tracking mechanism ensures that only authorized users are able to authenticate. Finally, TINYpulse's Role Based Access Control (RBAC) features allow our customers to set up per-user permissions to all of their data from the admin console.

Testing Program

The TINYpulse security team runs scans on all new servers to check for vulnerabilities. On a weekly basis, we run fully credentialed scans of every new code build including: