Tailscale Security Policies

Tailscale has several security policies in place to properly identify, respond to, and mitigate potential security risks. All employees, vendors and contractors working with Tailscale must follow these policies in order to best protect Tailscale’s and its customers’ data.

We’ve published these publicly for transparency, so that you can see where we are in terms of security maturity. We also hope you use these to adopt similar policies and processes at your organization.

Since these are our internal policies, some links to internal documents or resources are only visible to employees.

This repository is the source of truth for the policies available at https://tailscale.com/security-policies/.

These policies were last reviewed on 2024-04-01.

FAQ

What policies are included?

This repository includes:

• Personnel policy
• Risk assessment policy
• Information classification policy
• Third party vendor review policy
• Incident response policy
• Incident response process
• BCP/DR policy
• Access control policy
• Password policy
• Change management policy
• Testing policy
• Patch management policy
• Data retention and deletion policy
• Incident disclosure and notification policy

When does Tailscale review or update these policies?

The Chief Operating Officer is responsible for reviewing and updating security policies on a quarterly basis. See overview of policies.

Why don't you use the stronger security control X for the Y policy?

These policies do reflect the current state of Tailscale's security practices. Are they perfect? Absolutely not. We hope to improve them over time.

Why are these policies in Git?

These policies are in Git for document control, to track what changes were made over time, by whom, and who reviewed and approved those changes.

Why are some links broken, like to the Code of Conduct?

Since these are Tailscale's internal policies, some links to internal documents or resources are only visible to employees.

Why did Tailscale publish these policies?

These policies are published and available under CC0-1.0 in order to:

• Be transparent about where we are in terms of security at Tailscale.
• Help you be inspired by these policies as you complete your own SOC 2 audit or improve your own organization's security.

Can I use these security policies?

Yes! Feel free to be inspired by Tailscale's internal security policies for use in your own organization. These policies are available under CC0-1.0.

Contributing

We do not accept public contributions or issues on this repository. This is because this repository acts as the source of truth for Tailscale's internal policies. If you are a Tailscale user, and have a question or concern about one of these policies, please contact [email protected].

We may consider public comment on proposed changes.

Acknowledgements

@danderson, @rachlubman, @DentonGentry, and @mayakacz, with feedback from Tailscale employees and auditors.

License

Dedicated to the public domain under CC0-1.0 by Tailscale and contributors.