Enterprise-Grade Security
Built Into Every Layer
Your observability data contains the inner workings of your production systems. We treat that responsibility seriously — from the cryptographic primitives we use to the background checks every TigerOps employee undergoes before accessing production infrastructure.
Compliance You Can Rely On
TigerOps undergoes rigorous independent audits to validate our security controls. We maintain certifications relevant to enterprise and regulated industries.
Annual audit by an independent AICPA-accredited firm covering the Security, Availability, and Confidentiality trust service criteria. Report available under NDA.
Full compliance with the EU General Data Protection Regulation. We offer Standard Contractual Clauses, a DPA, and EU data residency for enterprise customers.
Compliant with the California Consumer Privacy Act and California Privacy Rights Act. We support data subject access requests, deletion rights, and do not sell personal data.
Business Associate Agreements available for Enterprise customers in healthcare. Contact our sales team to request a BAA before transmitting PHI to the platform.
Security questionnaires, SOC 2 reports, and compliance documentation are available to qualified Enterprise prospects. Contact our security team to request access.
Infrastructure Security
TigerOps runs on hardened cloud infrastructure with defense-in-depth controls at every layer.
Encryption at Rest
- AES-256-GCM encryption for all stored data
- Separate encryption keys per customer workspace
- CMEK (Customer-Managed Encryption Keys) for Enterprise
- Key rotation on a 90-day cycle
- Hardware Security Module (HSM) backed key storage
Encryption in Transit
- TLS 1.3 enforced for all API and agent traffic
- TLS 1.2 minimum — older versions rejected
- HSTS headers with long max-age for web UI
- Certificate pinning for the TigerOps agent
- Perfect forward secrecy on all cipher suites
Isolated VPC Architecture
- Deployed in dedicated AWS Virtual Private Cloud
- Private subnets with no direct internet exposure
- Security groups and NACLs for traffic segmentation
- Bastion-less access via AWS Systems Manager
- Immutable infrastructure with automated provisioning
Multi-Region Redundancy
- Active-active multi-AZ deployment in primary region
- Data replicated across 3 availability zones
- Cross-region disaster recovery (Enterprise)
- RPO < 1 hour, RTO < 4 hours for Enterprise
- Automated failover with health monitoring
Your Data Stays Yours
We are a custodian of your observability data, not its owner. Our architecture enforces hard boundaries between customers, and your data is never used to benefit other customers.
We publish our data retention practices, support right-to-deletion workflows, and make it easy to export your data at any time — even on the Free plan.
Tenant Isolation
- Hard logical isolation between customer workspaces
- Separate S3 bucket prefixes and DynamoDB key namespaces per tenant
- No cross-tenant query paths in API layer
- Tenant ID enforced at database row level
Data Retention Controls
- Configurable retention per data type (metrics, logs, traces)
- Automatic purge enforcement — data is deleted, not just hidden
- Retention policy audit log accessible from your account
- Enterprise: 15-month hot retention with custom TTL rules
Right to Deletion
- Immediate deletion API available on all paid plans
- Account deletion triggers 90-day data purge workflow
- Cryptographic erasure for CMEK customers (instant)
- Deletion verification certificate available on request
Data Processing Agreements
- Standard DPA available at tigerops.io/legal/dpa
- Countersigned DPA for Enterprise customers
- Standard Contractual Clauses for EU/UK transfers
- Sub-processor list published and change-notified
Application Security Controls
Access controls, authentication hardening, and full audit visibility so you know exactly who did what, and when.
SSO & SAML
- SAML 2.0 and OIDC for Enterprise customers
- Compatible with Okta, Azure AD, OneLogin, Google Workspace
- Just-in-time (JIT) user provisioning on first SSO login
- SCIM 2.0 for automated user lifecycle management
- Fallback authentication for break-glass scenarios
Role-Based Access Control
- Owner, Admin, Editor, and Viewer roles out-of-the-box
- Custom role definitions for Enterprise
- Resource-level permissions for dashboards and alerts
- API key scoping — create keys with minimum required permissions
- Team-based access policies for multi-team organizations
Audit Logging
- Immutable audit log for all admin and data access events
- 30-day audit retention on Pro, unlimited on Enterprise
- Exportable to your SIEM via Webhook or S3
- Covers user login, data queries, config changes, and API key usage
- Tamper-evident log chains with SHA-256 signatures
API Key Management
- Scoped API keys with per-resource permissions
- Key expiration dates and automatic rotation reminders
- IP allowlist restrictions per key
- Usage analytics and anomaly alerts per key
- Instant revocation with full audit trail
Two-Factor Authentication
- TOTP (Time-based OTP) via Google Authenticator, Authy
- WebAuthn / hardware security keys (YubiKey, FIDO2)
- SMS OTP as fallback (discouraged for high-security accounts)
- Org-level enforcement of 2FA for all team members
- Recovery codes with secure generation and one-time use
Session Security
- Short-lived session tokens (8-hour TTL for UI)
- Refresh token rotation with family revocation
- Active session management — view and terminate sessions
- Automatic logout on inactivity (configurable)
- Session binding to IP and user-agent fingerprint
Network-Level Protection
Multiple layers of network defense ensure the Service remains available and your traffic is never exposed to untrusted networks.
DDoS Protection
- AWS Shield Advanced for L3/L4 DDoS mitigation
- Automatic traffic scrubbing at the CDN edge
- 24/7 DDoS response team monitoring
- Capacity headroom sized for 10x normal traffic
Web Application Firewall
- AWS WAF with managed rule groups
- OWASP Top 10 rule sets enabled
- Custom rules for TigerOps-specific threat patterns
- Bot management and credential stuffing protection
Rate Limiting
- Per-IP and per-API-key rate limiting
- Adaptive limits based on behavior patterns
- Graceful degradation with 429 responses
- Burst allowances for legitimate high-volume ingestion
IP Allowlisting
- IP allowlist enforcement for API access (Enterprise)
- Static egress IP ranges for firewall whitelisting
- IPv4 and IPv6 support
- Per-API-key and per-workspace allowlists
Operational Security
Security is a culture, not a checkbox. Every TigerOps team member is part of our security program.
Employee Background Checks
All TigerOps employees undergo comprehensive background screening prior to employment, including criminal history, employment verification, and identity verification. Contractors with production access receive equivalent screening.
Security Awareness Training
Every employee completes mandatory security awareness training at onboarding and annually thereafter. Training covers phishing recognition, social engineering, secure coding practices, and data handling responsibilities.
Incident Response Plan
TigerOps maintains a documented, tested incident response plan. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of discovery, in accordance with GDPR Article 33 requirements.
Vulnerability Management
We run continuous automated vulnerability scanning on all production systems. Critical CVEs are patched within 24 hours; high-severity within 72 hours; medium-severity within 14 days. We maintain a Software Bill of Materials (SBOM) for all production services.
Access Management
Production access is granted on a least-privilege, need-to-know basis. All production access is time-limited, recorded, and reviewed quarterly. Engineers access production via MFA-enforced jump hosts with full session recording.
Vendor Risk Management
All third-party vendors with access to TigerOps infrastructure or customer data undergo security assessment before onboarding. We maintain a published sub-processor list and notify customers 10 business days before adding new vendors.
Third-Party Penetration Testing
TigerOps commissions annual penetration tests conducted by independent, CREST-certified security firms. Tests cover external network, web application, API, and authenticated internal access scenarios.
Responsible Disclosure Program
We believe coordinated vulnerability disclosure is essential to the security of the internet. If you have discovered a security vulnerability in TigerOps, we want to hear from you.
How to Report
Email: [email protected]
Encrypt your report using our PGP key (available on request).
Please include: affected URL or component, reproduction steps, and potential impact.
Our Commitments to Researchers
- Acknowledge your report within 24 hours
- Provide status updates at least every 7 days
- Notify you when the issue is remediated
- Credit you in our security acknowledgments (if desired)
- Not pursue legal action for good-faith disclosures
- Consider monetary rewards for critical vulnerabilities
Out of scope: Social engineering attacks on TigerOps employees, physical security attacks, denial of service testing, automated vulnerability scanning without prior permission, and attacks on customer workspaces you do not own.
Security Questions?
Our security team is available to answer questions from enterprise prospects, existing customers, and security researchers.
We provide security questionnaire support, SOC 2 report access (under NDA), and custom security reviews for enterprise procurement.
© 2026 TigerOps, Inc. All rights reserved.