Tembo logoTembo

Tembo Trust Center

Tembo is in compliance with security best practices, has implemented and is monitoring comprehensive controls, and maintains policies to outline its security procedures.

security@tembo.io

Compliance

Links

Privacy PolicyTerms of Service

Resources

SOC 2 Type I Report
Consent Withdrawal Policy
Binding Corporate Rules (BCRs) Policy
Change Management Policy
Statement of Applicability

Controls

ePHI policy accessibility evidence
Remote access tool
Access restricted to modify infrastructure
Source code access restricted and changes logged
Access control procedures
Data encrypted at rest
Secure disposal of electronic media containing sensitive data (PII, ePHI, etc.)
Customer data deleted after termination
Data protection policy
Data transfers covered by approved safeguards
Secure connection means utilized
External Attack Surface Vulnerability Scanning & Remediation
Web application firewalls configuration
Code of Conduct acknowledged by employees
Source code changes tested and approved
SSL/TLS certificates for infrastructure
Anti-malware monitoring
Intrusion detection tool
Automated system capacity and performance monitoring
Centralized Log Collection and Monitoring
Business continuity & disaster recovery plans documented and tested
Security incident logging and review
Incident response and breach notification policy
Breach notification communication
Visitor sign-in, badging, and escort policy
Internal GDPR compliance assessments performed
Binding corporate rules policy
Automated decision-making policy
Technology assets inventoried
Annual risk assessments performed
Documented Vendor Management Program
Vendor list
Vendor termination
Vendor onboarding
Consent for processing captured via explicit opt-in mechanisms
Age verification and parental/guardian consent process enforced
Media disposal training
Confidentiality Agreement acknowledged by employees
List of newly hired employees & contractors
Security awareness training implemented
Employee handbook
Records of Processing Activities (RoPA) maintained
Multi-availability zones
Asset register maintaining
Whisteblower mechanism maintained
Documentation available to internal and external users
Risk management program
Risk and Governance Executive Committee meeting minutes
Lawful basis assessment
Legitimate interest assessment
Key management services used
Mobile device management tool configurations
Ticketing tool
Security-related roles
Internal communication for changes in roles