Tagup Cybersecurity

Tagup’s cloud infrastructure leverages Amazon AWS, a leader in cloud security as rated by Forrester Research. AWS is ISO 27001 and SOC 1 Type II certified.

Network appliances, encompassing firewalls and other border devices, are positioned to supervise and manage communication at the external periphery of the network, as well as crucial internal boundaries within the network. To govern the flow of data to particular information system services, these border devices utilize rule sets, access control lists (ACLs), and specific configurations.

Tagup operates on a safe, multi-tenant cloud structure with logical partitioning of data. The data from each client is logically divided across various databases, necessitating authentication checks for every access attempt at both the application and data levels for any tenant's information. This logical division guarantees that data exclusively belongs to one client. The necessary verification procedures at both the application and data layers make certain that the data is entirely isolated by customer and the accounts created for that client.

Tagup utilizes a Virtual Private Cloud to ensure resource segregation and to shrink the potential area vulnerable to attacks. The services of Tagup are secured by firewalls based on IP and port. The access to the administrative side of Tagup's infrastructure is tightly controlled and authenticated through a public key (RSA). The threat of Distributed Denial of Service (DDoS) attacks is reduced using elastic load balancing and resilient DNS services.

When a storage device housing customer information has exhausted its lifecycle, it undergoes a decommissioning procedure intended to prevent unauthorized access to the data. The process of data destruction follows the guidelines set out in DoD 5220.22-M ("National Industrial Security Program Operating Manual") or NIST 800-88 ("Guidelines for Media Sanitization"). As part of industry-standard practices, all decommissioned magnetic storage devices are degaussed and physically eliminated to ensure complete data erasure.

Tagup recognizes the importance of securing your data from the device to the dashboard. Our gateways are designed and tested to prevent unauthorized access and interference, including through the following safeguards:

‍Command Safe List
Tagup’s gateways allow only a pre-approved range of commands to be sent to equipment controls. This avoids malicious or otherwise unwanted outcomes and maintains safe operations.

‍Hardware-Level Verification
‍Tagup gateways are designed with robust security measures that prevent them from functioning if an attempt is made to execute harmful code remotely. They employ asymmetric cryptographic digital signatures with a public key for verification, along with on-device tamper safeguards to enhance security.

‍Penetration Tests
‍Tagup integrates its gateways into its yearly penetration tests. Any issues found during these tests are promptly categorized, prioritized, and resolved to ensure the maintenance of security standards.

Tagup ensures that data, whether it's being captured, stored, or processed, is by default encrypted. This applies when the data is in transit over public networks or when it's at rest in the Tagup cloud. More specifically:

‍Data in Transit
Tagup uses the latest recommended secure protocols to secure traffic in transit, including TLS 1.2, AES256 encryption, and signatures.

‍Data at Rest
Tagup ensures the encryption of data at rest within its production network, which includes systems like relational databases, file stores, and backups among others. It adheres to industry standards for key storage, utilizing AWS's Key Management Service. Tagup also employs robust safety measures for the creation, storage, retrieval, and eradication of sensitive information such as encryption keys and service account credentials.

‍Secure Dashboard
‍Accessing your operations in the Tagup cloud through the Tagup web application and API necessitates the use of secure, TLS-encrypted connections for all application data transfer.

The System and Organization Controls (SOC 2) is a reputable attestation report provided to a company following an audit of its internal operations. This report details the mechanisms and procedures that Tagup has established to secure customer data and maintain system availability.

Tagup's SOC 2 Type 2 report outlines our software infrastructure and the procedures we've implemented to ensure the safety and accessibility of our customers' data. The report covers processes such as employee onboarding and termination, internal access controls to production environments, and procedures for disaster recovery, data backup, and incident response. The report was issued by Johanson Group LLP, a licensed and independent certified public accountant firm.

If you are a current or potential Tagup customer interested in reviewing this report, please reach out to your account representative to request a copy.

Penetration Testing
‍Beyond our regular compliance audits, Tagup also commissions independent entities to perform penetration tests at the application, infrastructure, and hardware levels on an annual basis at minimum. The findings from these tests are presented to senior management and are systematically evaluated, ranked, and addressed promptly. If customers wish to review executive summaries of these activities, they can request them from their account executive.

Tagup's service operates on a distributed system designed to distribute computation and data across multiple physical servers. Each customer's data is duplicated across numerous servers and storage devices, ensuring that a hardware failure doesn't affect service availability or the integrity of customer data. Network connections are diversely routed across multiple providers to ensure internet access resilience.

Our data centers come equipped with advanced fire detection and suppression systems, including protections like wet-pipe, double-interlocked pre-action, or gas-based sprinkler systems. The power systems within the data centers are designed to offer full redundancy, operating round-the-clock without affecting the operations. In case of an electrical failure, Uninterruptible Power Supply (UPS) units ensure continuous power supply for critical and essential loads in the facility. Backup power for the entire facility is provided by generators.

To prevent overheating and the subsequent risk of service interruptions, climate control is vital in maintaining a constant operating temperature for servers and other hardware. Data centers are designed to sustain optimal atmospheric conditions. Both personnel and automated systems work to monitor and control temperature and humidity at suitable levels.

Tagup is engineered for quick failover in case of a hardware failure or natural disaster. Moreover, Tagup sensors and gateways are fitted with on-board storage that can locally save data during a cloud service interruption, automatically uploading the buffered data when service resumes.

Tagup offers administrative tools to safeguard your organization's data. These tools include user management with email verification, audit logs for authentication, and two-factor authentication. In addition, Tagup imposes strong user authentication where data access demands authentication via Tagup’s centralized server, ruling out the use of default passwords or shared secrets.

Internally, Tagup limits access to customer data following the principles of minimum privilege and duty segregation. Role-based access privileges are used to grant access to critical systems. Additionally, Tagup employs a log monitoring system to keep track of events for vital systems, enabling rapid detection of abnormal or unauthorized login attempts, configuration changes, or security group management events.

Tagup is committed to maintaining the utmost security standards for our platform and actively collaborates with the security community. Our vulnerability disclosure policy is designed to offer a conduit for external researchers to identify and address security concerns. We encourage security researchers to responsibly locate and report any vulnerabilities they discover within our system. However, it's important to note that any actions that could potentially harm Tagup or its customers are strictly forbidden by Tagup. This includes accessing, destroying, corrupting data or information not owned by them, or attempting to do so. Additionally, social engineering attempts targeting any Tagup customer or employee are expressly prohibited.

Reporting security issues
If you have a security concern, contact support@tagup.io.