Tailscale has always been – and will always be – deeply dedicated to data and information security. With that, we are happy to announce that we have successfully completed our 2023 SOC 2 Type II reassessment!
This annual assessment ensures that we have implemented the procedures, policies and controls necessary to meet AICPA’s trust services criteria for security, availability, and confidentiality, and that these processes and controls have been tested to ensure that they are operating effectively.
We completed our Type I audit back in May of 2022 and then did a process improvement speedrun to complete Type II in September of 2022. Both types are not quick to complete individually as both required us to produce a lot of documentation and proof for the auditor.
Since day 1, we had a solid foundation for our security controls and procedures in place because security is at the root of what Tailscale offers and just meeting requirements is never enough for us.
The audits are exhausting, and this year’s SOC 2 reassessment audit was more thorough than previous assessments since we made some changes and improvements to our processes and environment.
Our advice to anyone else working on compliance is to document everything; from who you hire to how you build and support your product. Everything is up for evaluation and this shared responsibility takes a good effort to maintain.
One of the critical lessons learned through this process is the importance of cross-team collaboration. Compliance belongs to everyone. Keeping on top of each department’s processes, and documenting all of it, fosters a culture of accountability. Each department understands they play a role in maintaining regulatory standards, which reduces the risk of compliance gaps or oversights.
Another critical lesson learned is to build a positive working relationship with your auditor. Aprio has been our auditor since our first Type 1 audit and we have built up a positive rapport with them which has made for a more polished process, improved planning, and a better understanding of our product. It’s been especially helpful getting clarification of requirements (from both parties) as well as building trust and credibility with them.
We are really proud of the work we have done and continue to do in the security sphere. Our SOC 2 Type II report is now more easily accessible! In the past, people had to sign an NDA to get a copy, but now anyone who has a tailnet can download it. Our Terms of Service covers user access (think of it like an embedded NDA) but also, we just don’t want to create unneeded friction between you and your due diligence.
If you have any questions about our latest SOC 2 Type II Audit, or Tailscale security, please contact us today!