Tarsal is committed to keeping your data safe by following industry-standard practices for securing physical deployments, setting access policies, and leveraging AWS’s security features.
If you have any security concerns with Tarsal, or believe you have discovered a vulnerability, please email us at firstname.lastname@example.org
Securing your data
Tarsal connectors operate as the data pipes moving data from point A to point B: extracting data from data sources, normalizing it, and loading it into destination platforms (warehouses, SIEMs, data lakes) with optional transformation performed in-flight. As soon as data is transferred from the source to the destination, it is purged from Tarsal’s databases.
Because Tarsal is not aware of the data being transferred, users are required to follow the Terms of Service and are responsible for ensuring their data transfer is compliant with their jurisdiction.
Tarsal stores the following data:
Technical logs are stored for troubleshooting purposes and may contain sensitive
data based on the connection’s state data. If your connection is set to
incrementally sync, users choose which column is the cursor for their
connection. We strongly recommend setting the cursor to a timestamp like an
updated_at column, but users can choose any column they want.
Tarsal retains configuration details and metadata such as table and column names for each connection.
Tarsal leverages AWS’s security features and sets least-privilege access policies to ensure data security.
Tarsal is deployed on AWS with all servers located in the United States. We use isolated pods to ensure your data is kept separate from other customers’ data. Only certain Tarsal staff can access Tarsal infrastructure and technical logs for upgrades, configuration changes, and troubleshooting.
Most Tarsal connectors require keys, secrets, or passwords to continually sync without prompting the user for credentials. Tarsal fetches credentials using HTTPS and stores them in AWS’s Secrets Manager. When persisting connector configurations to disk or the database, we store a version of the configuration that points to the secret in AWS Secret Manager, instead of the secret itself, to limit the parts of the system interacting with secrets.
Since Tarsal only transfers data from source to destination and purges the data after the transfer is finished, data in transit is encrypted with TLS, and no in-store encryption is required for the data. Tarsal does store customer metadata and encrypts it using AWS’s encryption service with AES-256-bit encryption keys
All Tarsal connectors pull data through encrypted channels (SSL, SSH tunnel, HTTPS), and the data transfer between our clients’ infrastructure and Tarsal infrastructure is fully encrypted.
Tarsal supports role-based access control (RBAC).