Tint Platform Security and Data Protection

We understand intrinsic risk and take users' data security very seriously. Tint has implemented appropriate administrative, physical, and technical safeguards to mitigate inherent risks to the security and integrity of the Tint Platform. These safeguards include information security policies, procedures, and controls that face constant review and updating to ensure they remain effective against potential threats.

If you believe you have discovered a vulnerability in the Tint Platform, please report it to us immediately at security@tint.ai. We will respond promptly and work to address the issue as quickly as possible. Please do not publicly disclose the vulnerability until we have had the opportunity to investigate and address it.

Although we do not have a formal bug bounty program, we value responsible disclosure. We may provide a symbolic gift, such as Amazon gift cards or branded equipment, as a gesture of appreciation.

Tint mitigates inherent risks by leveraging AWS's secure and efficient infrastructure to gather, store, process, and protect customer data. Under the AWS Shared Responsibility Model, physical access to servers and protection of underlying infrastructure, hardware, software, and facilities are AWS's responsibility. Tint secures applications, manages identities and access, and configures infrastructure on AWS. Customer data is encrypted at rest and is hosted on strictly isolated production networks and environments separate from staging/development environments. Access to production and change management is restricted to authorized personnel only, following the Principle of Least Privilege, and access to the production environment is granted nominatively upon justified request.

To address intrinsic risks, Tint Platform ensures the confidentiality and protection of customer data in transit and at rest. Data submitted by authorized users is considered confidential and cannot exit the Tint production service environment except in limited circumstances.

Tint uses Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS) to safeguard all data transmitted between Tint and its users. The platform becomes inaccessible if encrypted communication is interrupted.

Access to Customer Data is limited to those with a business requirement to do so, with multiple layers of access controls for administrative roles and privileges. Authentication and authorization controls, including Multi-Factor Authentication (MFA), is required to access environments containing Customer Data, and accesses are reviewed quarterly.

Tint ensures the integrity and confidentiality of administrative credentials and access mechanisms, with full-disk encryption and unique credentials for workstations. Critical infrastructure is monitored for security-related events, and activity data is logged and analyzed with custom rules designed to identify malicious or unapproved behavior. Tint's Security Incident Response team is alerted directly via an orchestration platform.

A Third-Party Penetration Test is performed at least once a year.

Tint offers an AICPA System and Organization Controls (SOC) 2 report for the Tint Platform.

The reports are available on-demand. Please contact security@tint.ai to receive the report.