> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tarsal.co/llms.txt
> Use this file to discover all available pages before exploring further.

# How we keep your data safe

# Tarsal Security

Tarsal is committed to keeping your data safe by following industry-standard
practices for securing physical deployments, setting access policies, and
leveraging AWS's security features.

If you have any security concerns with Tarsal, or believe you have discovered a
vulnerability, please email us at [security@tarsal.co](mailto:security@tarsal.co)

## Securing your data

Tarsal connectors operate as the data pipes moving data from point A to point B:
extracting data from data sources, normalizing it, and loading it into
destination platforms (warehouses, SIEMs, data lakes) with optional
transformation performed in-flight. As soon as data is transferred from the
source to the destination, it is purged from Tarsal’s databases.

## Sensitive Data

Because Tarsal is not aware of the data being transferred, users are required to
follow the [Terms of Service](https://www.tarsal.co/terms) and are responsible
for ensuring their data transfer is compliant with their jurisdiction.

For more information, see
[Tarsal’s Privacy Policy](https://tarsal.co/privacy-policy)

Tarsal stores the following data:

### Technical Logs

Technical logs are stored for troubleshooting purposes and may contain sensitive
data based on the connection’s state data. If your connection is set to
incrementally sync, users choose which column is the cursor for their
connection. We strongly recommend setting the cursor to a timestamp like an
`updated_at` column, but users can choose any column they want.

### Metadata

Tarsal retains configuration details and metadata such as table and column names
for each connection.

# Securing Tarsal

Tarsal leverages AWS's security features and sets least-privilege access
policies to ensure data security.

## Physical infrastructure

Tarsal is deployed on AWS with all servers located in the United States. We use
isolated pods to ensure your data is kept separate from other customers’ data.
Only certain Tarsal staff can access Tarsal infrastructure and technical logs
for upgrades, configuration changes, and troubleshooting.

## Credential management

Most Tarsal connectors require keys, secrets, or passwords to continually sync
without prompting the user for credentials. Tarsal fetches credentials using
HTTPS and stores them in AWS’s Secrets Manager. When persisting connector
configurations to disk or the database, we store a version of the configuration
that points to the secret in AWS Secret Manager, instead of the secret itself,
to limit the parts of the system interacting with secrets.

## Encryption

Since Tarsal only transfers data from source to destination and purges the data
after the transfer is finished, data in transit is encrypted with TLS, and no
in-store encryption is required for the data. Tarsal does store customer
metadata and encrypts it using AWS’s encryption service with AES-256-bit
encryption keys

All Tarsal connectors pull data through encrypted channels (SSL, SSH tunnel,
HTTPS), and the data transfer between our clients' infrastructure and Tarsal
infrastructure is fully encrypted.

## Access control

Tarsal supports role-based access control (RBAC).
