Security reigns supreme here at Tidelift. Because we are in the business of helping your organization ensure its supply chain is secure and well-maintained, we abide by many of the same open source security standards we recommend to our customers.
We put a lot of effort into upstream efforts such as coordinating with MITRE and NVD for vulnerability disclosure; working with OpenSSF to integrate broader metrics about the security stance of projects via the security scorecard project; checking to ensure that maintainers use two-factor authentication for both their source repository and their package managers—just to name a few!
In addition, we also care a lot about ensuring that the Tidelift platform is secure and that our customers can feel confident in our security approaches and practices. Many of our customers are in regulated environments and we want to ensure that we don’t jeopardize their compliance needs. That’s why I’m happy to announce that we’ve recently completed our SOC 2 Type 2 examination.
SOC 2 reports focus on examining the internal controls of an organization to ensure that they meet the service commitments and system requirements based on criteria established by the American Institute of Certified Public Accountants (AICPA). In having this examination done, Tidelift affirms and shows on an ongoing basis that we adhere to one of the most stringent and industry accepted compliance frameworks through an independent auditor and that our processes are properly designed and operate as intended.
The SOC 2 report shows how we manage data for our end users to give a common understanding of how we handle your data, mitigate cyber risk, and support compliance with various privacy regulations. In addition to reporting on what our processes are, it also assesses the effectiveness of these controls over a multi-month period. This helps Tidelift and our customers know that our practices continue to work even as threats evolve. While much of this work is simply continuing practices that we have completed since Tidelift began, we know it is important to make it clear to you and will continue to take this and other steps to ensure that we are running a secure and stable SaaS offering.
If you have questions or need a copy of our SOC2 report, you can always contact us at firstname.lastname@example.org.