Tarsal Security

Tarsal is committed to keeping your data safe by following industry-standard practices for securing physical deployments, setting access policies, and leveraging AWS’s security features.

If you have any security concerns with Tarsal, or believe you have discovered a vulnerability, please email us at security@tarsal.co

Securing your data

Tarsal connectors operate as the data pipes moving data from point A to point B: extracting data from data sources, normalizing it, and loading it into destination platforms (warehouses, SIEMs, data lakes) with optional transformation performed in-flight. As soon as data is transferred from the source to the destination, it is purged from Tarsal’s databases.

Sensitive Data

Because Tarsal is not aware of the data being transferred, users are required to follow the Terms of Service and are responsible for ensuring their data transfer is compliant with their jurisdiction.

For more information, see Tarsal’s Privacy Policy

Tarsal stores the following data:

Technical Logs

Technical logs are stored for troubleshooting purposes and may contain sensitive data based on the connection’s state data. If your connection is set to incrementally sync, users choose which column is the cursor for their connection. We strongly recommend setting the cursor to a timestamp like an updated_at column, but users can choose any column they want.


Tarsal retains configuration details and metadata such as table and column names for each connection.

Securing Tarsal

Tarsal leverages AWS’s security features and sets least-privilege access policies to ensure data security.

Physical infrastructure

Tarsal is deployed on AWS with all servers located in the United States. We use isolated pods to ensure your data is kept separate from other customers’ data. Only certain Tarsal staff can access Tarsal infrastructure and technical logs for upgrades, configuration changes, and troubleshooting.

Credential management

Most Tarsal connectors require keys, secrets, or passwords to continually sync without prompting the user for credentials. Tarsal fetches credentials using HTTPS and stores them in AWS’s Secrets Manager. When persisting connector configurations to disk or the database, we store a version of the configuration that points to the secret in AWS Secret Manager, instead of the secret itself, to limit the parts of the system interacting with secrets.


Since Tarsal only transfers data from source to destination and purges the data after the transfer is finished, data in transit is encrypted with TLS, and no in-store encryption is required for the data. Tarsal does store customer metadata and encrypts it using AWS’s encryption service with AES-256-bit encryption keys

All Tarsal connectors pull data through encrypted channels (SSL, SSH tunnel, HTTPS), and the data transfer between our clients’ infrastructure and Tarsal infrastructure is fully encrypted.

Access control

Tarsal supports role-based access control (RBAC).