How we keep your data safe
Tarsal Security
Tarsal is committed to keeping your data safe by following industry-standard practices for securing physical deployments, setting access policies, and leveraging AWS’s security features.
If you have any security concerns with Tarsal, or believe you have discovered a vulnerability, please email us at security@tarsal.co
Securing your data
Tarsal connectors operate as the data pipes moving data from point A to point B: extracting data from data sources, normalizing it, and loading it into destination platforms (warehouses, SIEMs, data lakes) with optional transformation performed in-flight. As soon as data is transferred from the source to the destination, it is purged from Tarsal’s databases.
Sensitive Data
Because Tarsal is not aware of the data being transferred, users are required to follow the Terms of Service and are responsible for ensuring their data transfer is compliant with their jurisdiction.
For more information, see Tarsal’s Privacy Policy
Tarsal stores the following data:
Technical Logs
Technical logs are stored for troubleshooting purposes and may contain sensitive
data based on the connection’s state data. If your connection is set to
incrementally sync, users choose which column is the cursor for their
connection. We strongly recommend setting the cursor to a timestamp like an
updated_at column, but users can choose any column they want.
Metadata
Tarsal retains configuration details and metadata such as table and column names for each connection.
Securing Tarsal
Tarsal leverages AWS’s security features and sets least-privilege access policies to ensure data security.
Physical infrastructure
Tarsal is deployed on AWS with all servers located in the United States. We use isolated pods to ensure your data is kept separate from other customers’ data. Only certain Tarsal staff can access Tarsal infrastructure and technical logs for upgrades, configuration changes, and troubleshooting.
Credential management
Most Tarsal connectors require keys, secrets, or passwords to continually sync without prompting the user for credentials. Tarsal fetches credentials using HTTPS and stores them in AWS’s Secrets Manager. When persisting connector configurations to disk or the database, we store a version of the configuration that points to the secret in AWS Secret Manager, instead of the secret itself, to limit the parts of the system interacting with secrets.
Encryption
Since Tarsal only transfers data from source to destination and purges the data after the transfer is finished, data in transit is encrypted with TLS, and no in-store encryption is required for the data. Tarsal does store customer metadata and encrypts it using AWS’s encryption service with AES-256-bit encryption keys
All Tarsal connectors pull data through encrypted channels (SSL, SSH tunnel, HTTPS), and the data transfer between our clients’ infrastructure and Tarsal infrastructure is fully encrypted.
Access control
Tarsal supports role-based access control (RBAC).