Security Overview

We are committed to keeping your data secure at Tability. Privacy and reliability are at the core of our services, and we use proven cloud providers to ensure the safety of your data.


We ensure to the best of our ability that we are delivering products that are free from security defects. Additionally, we support a number of security focused features to help keep your data safe:

  • Encryption: All data in transit is secured with Transport Level Security (TLS) and all API and client communications (web and mobile) require HTTPS connections. All customer data is encrypted at rest including: email addresses, passwords, API keys and 3rd party integration keys.

  • Authentication: All Tability workspaces support both 2FA access and SSO through Google Apps. You can also enforce the use of SAML authentication to manage access to your workspace.

  • IP and email domain restrictions: Customers on the Premium plans can restrict access to their workspace to specific IPs or email domains.

  • Permanent deletion: Users can delete data related to their account and workspace if they have the correct permissions. Data can be restored for up to 7 days before it is permanently deleted, and it can take up to 14 days for all data to be deleted from our systems.

Infrastructure & Operational Practices

Tability's backend is hosted on Heroku. Heroku's physical infrastructure is hosted and managed within Amazon's secure data centres and utilises the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Tability's web application is hosted on Netlify and we're using Cloudflare as a CDN.

For more specific details regarding Heroku security, please refer to

For more specific details regarding AWS security, please refer to

For more specific details regarding Netlify security, please refer to

For more specific details regarding Cloudflare security, please refer to

  • Hosting and storage: Tability services and data are hosted in the United States.

  • Vulnerability scanning: We run automated vulnerability scans as part of our continuous delivery process.


We use Heroku's Continuous Protection to backup customer data, which allows us to restore the database any point of time in the past 4 days. We also do daily logical backups retained for the last 7 days

Data Encryption and Retention

All data, including backups, is encrypted at-rest using AES-256 encryption.

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Users can delete their entire Tability workspace if they have the correct access rights. This will delete all data that you have provided to Tability. It can take up to 60 days for all data to be removed from backups.

Following the cancellation of a Tability subscription, you will have at least 30 days to download your customer data from Tability. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.

Tability reserves the right to, upon prior written notice to Customer, delete accounts for Free subscriptions (and all Customer Data contained therein) that have been inactive for more than 180 days.


We strive for a 99.9% uptime across all our products and to support that, we host our monitoring and logging systems outside of our production to ensure continuity of reporting if our systems are impacted by an incident.

You can monitor the status of our services at


  • PCI DSS: All payments made to us go through our payments provider, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.

Security Controls

  • Software development: Tability's software development practices follow OWASP's guidelines, protecting against common attacks.

  • Immutable infrastructure: We do not make changes to live code or production servers. We treat our infrastructure as code whenever possible, and changes go through automated testing and deployment processes.

  • Continuous delivery: We use continuous integration and automated deployments to build, test and release code multiple times a day.

  • Incident response: We have monitoring tools in place to notify the team of any security or availability incidents immediately. These monitoring tools are hosted independently from our production systems.

  • Access to customer data: Sensitive customer data can only be accessed by a selected group of individuals on our team. If it's necessary for the team to access sensitive customer data, we will only do so only after receiving written permission from the customer via email.

MDM enrollment for employee devices

All employees use a company issued laptop managed via a MDM (Kandji) to automate security and compliance.

Penetration testing

Tability runs yearly penetration tests performed by an independent security research team.

Vulnerability disclosure

We have an open vulnerability disclosure program detailed here.

Contact us

If you have any questions, please email us at [email protected]

Last updated