Say goodbye to your legacy VPNMake the switch to Tailscale
Get started
Login
WireGuard is a registered trademark of Jason A. Donenfeld.
© 2024 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.

Security at Tailscale

Thousands of teams trust Tailscale — and that’s in part thanks to our commitment to security and privacy.

mercury
instacart
retool
duolingo
mercari
sso
SSO and MFA
Tailscale relies on your existing identity provider to authenticate users, and automatically uses authentication settings like MFA.
Access Controls Lists
Access Controls Lists
ACLs allow you to define which users can connect to which devices in your network.
End-to-end encrypted
End-to-end encrypted
Tailscale is built on top of WireGuard®, a modern VPN that provides end-to-end encryption between devices. Tailscale cannot read your traffic.
SOC 2
SOC 2
Tailscale has implemented procedures and policies in line with AICPA's trust services criteria.
Latacora
Latacora Audits
Tailscale works with Latacora, a security firm that specializes in information security, to conduct security audits.
Security Bulletins
Security Bulletins
Tailscale publishes security bulletins to disclose security issues in our product.

Security FAQs

No. Devices running Tailscale only exchange their public keys. Private keys never leave the device. All traffic is end-to-end encrypted, always.

No. Tailscale routes traffic over the shortest path possible. In most cases, this is a direct, peer-to-peer connection.

In cases where a direct connection cannot be established, devices will communicate by bouncing traffic off one or more geographically distributed DERP relay servers. Your traffic remains end-to-end encrypted when it passes through a relay server, and Tailscale can’t decrypt it.

Tailscale allows you to connect your computer to other devices logged in to the same Tailscale network. Only devices that are permitted to access your computer as defined in ACLs can initiate connections to your computer. You can also locally block incoming connections to your device.

Yes. Tailscale encrypts customer metadata in the coordination server at rest using 256-bit AES and in transit using TLS. Customer data is encrypted in transit using WireGuard.

Tailscale backs up customer metadata in the coordination server hourly and tests backups at least annually.

Yes. We work with Latacora to conduct regular security audits. These include traditional assessments, but also monitoring, maturity model review, design review and advisory services. On top of that, we also have peer code reviews, automated static analysis checks, and dependency vulnerability scans.

Tailscale’s infrastructure includes the following:

Yes. Tailscale’s coordination server, which distributes public keys and controls settings, is multi-tenant. This only stores customer metadata and public keys, not data or private keys.

Tailscale’s DERP relay servers, which help establish point-to-point connections, are multi-tenant. These only route encrypted customer data, never unencrypted data.

In order to provide the service, Tailscale collects device information, including OS, hardware, public IP addresses, network routing information, information on the installed Tailscale client, and other device settings. Tailscale also uses user account information, such as email addresses, to authenticate users to their accounts.

See our Privacy Policy for more details on how we collect and use personal information.

Tailscale collects customer metadata related to connection attempts, authentication, and routing to help us to monitor and debug networks.

If you opt out of logging, Tailscale may not be able to provide technical support. To learn how to opt out, see Opting out of client logging.

You cannot limit coordination server logs.

Yes. Tailscale has completed a SOC 2 Type II audit covering AICPA’s trust services criteria for security, availability, and confidentiality. Obtain a copy of the report from our compliance page. Note that the report is confidential, and prospective customers will need to contact support and sign an NDA to access the report.

HIPAA defines controls for securing health information.

As Tailscale does not store customer data, only metadata, Tailscale doesn’t have any services in scope for HIPAA. US-based healthcare customers do not need and Tailscale does not execute business associate agreements (BAAs) with our US-based healthcare clients.

Tailscale can be a supporting safeguard for your HIPAA-compliant system to provide integrity and encryption for electronic protected health information transmitted over an electronic communications network (HIPAA 45 CFR § 164.312(e)(1)).

PCI DSS 4.0 defines controls for securing credit card information and requires eligible merchants to complete the SAQ A form to demonstrate compliance.

Tailscale does not store credit card information, and instead uses Stripe to securely process transactions. Stripe is certified to PCI DSS Service Provider Level 1, which is the highest level of security certification available in the payments industry.

As Tailscale does not directly store or process credit card information, Tailscale doesn’t have any services in scope for PCI DSS. However, under the PCI DSS 4.0 requirements, Tailscale has completed the SAQ A form to ensure that our service provider, Stripe, is PCI-compliant and contractually obligated to handle all PCI obligations.

Have a security concern about Tailscale?

Get in touch with our security team at security@tailscale.com to disclose any security vulnerabilities.

Upon discovering a vulnerability, we ask that you act in a way to protect our users' information:

  • Inform us as soon as possible.
  • Test against fake data and accounts, not our users' information.
  • Work with us to close the vulnerability before disclosing it to others.
Tailscale does not have a bounty program.

Try Tailscale for free

Schedule a demo
Contact sales
cta phone
mercury
instacart
Retool
duolingo
Hugging Face