Security at TigerGate

• Role-Based Access Control (RBAC): Granular permissions based on job functions with least privilege principle
• Multi-Factor Authentication (MFA): Required for all users with support for TOTP, WebAuthn, and hardware security keys
• Single Sign-On (SSO): Integration with Okta, Azure AD, Google Workspace, and SAML 2.0 providers
• Session Management: Automatic session expiration, device tracking, and anomaly detection
• API Security: API keys with scoped permissions, rate limiting, and IP whitelisting

• Cloud Infrastructure: Hosted on SOC 2 certified cloud providers (AWS, GCP) with VPC isolation
• Network Segmentation: Separate networks for production, staging, and development environments
• Firewall Rules: Default-deny firewall policies with strict ingress/egress controls
• DDoS Protection: Cloudflare Enterprise with automatic DDoS mitigation
• Intrusion Detection: Real-time IDS/IPS monitoring with automated alerting
• Container Security: Signed images, vulnerability scanning, and runtime protection

• Secure Development: Security training for all engineers, secure coding guidelines, and code review requirements
• Static Analysis: Automated SAST scanning with Semgrep on every commit
• Dependency Scanning: Continuous SCA monitoring for vulnerable dependencies with auto-patching
• Secrets Management: HashiCorp Vault for credential storage with automatic rotation
• Penetration Testing: Annual third-party pentests and continuous bug bounty program
• Vulnerability Disclosure: Responsible disclosure program at [email protected]

• Security Monitoring: 24/7 SOC with SIEM integration (Splunk, Datadog)
• Audit Logs: Comprehensive logging of all user actions, API calls, and system events
• Alerting: Real-time alerts for suspicious activity with PagerDuty integration
• Log Retention: 90 days hot storage, 7 years cold storage for compliance
• Tamper Protection: Immutable logs with cryptographic verification

TigerGate maintains a comprehensive incident response plan with defined procedures for detection, containment, eradication, and recovery.

• Incident Response Team: Dedicated security team available 24/7
• Response Time: Critical incidents acknowledged within 15 minutes
• Communication: Status page updates and email notifications to affected customers
• Post-Incident Review: Root cause analysis and remediation for all security incidents

• Data Minimization: We only collect metadata necessary for security monitoring (no application data or file contents)
• Data Residency: Choose where your data is stored (US, EU, APAC regions available)
• Data Portability: Export all your data in JSON/CSV format at any time
• Data Deletion: Complete data deletion within 30 days of account closure
• GDPR/CCPA Rights: Full support for data subject access requests

We welcome security researchers to responsibly disclose vulnerabilities. Our vulnerability disclosure program includes:

• Bug Bounty Program: Rewards for valid security findings (up to $10,000 for critical vulnerabilities)
• Response Time: Initial response within 24 hours for all reports
• Safe Harbor: We will not pursue legal action for good-faith security research
• Recognition: Hall of fame for security researchers (with permission)

Report a vulnerability: [email protected]

PGP Key: Download PGP Public Key

For security-related questions, vulnerability reports, or to request a security audit report:

Email: [email protected]

Security Portal: security.tigergate.io

Status Page: status.tigergate.io