Security at Tailscale
Thousands of teams trust Tailscale — and that’s in part thanks to our commitment to security and privacy.
No. Devices running Tailscale only exchange their public keys. Private keys never leave the device. All traffic is end-to-end encrypted, always.
No. Tailscale routes traffic over the shortest path possible. In most cases, this is a direct, peer-to-peer connection.
In cases where a direct connection cannot be established, devices will communicate by bouncing traffic off one or more geographically distributed DERP relay servers. Your traffic remains end-to-end encrypted when it passes through a relay server, and Tailscale can’t decrypt it.
Yes. Tailscale encrypts customer metadata in the coordination server at rest using 256-bit AES and in transit using TLS. Customer data is encrypted in transit using WireGuard.
Tailscale backs up customer metadata in the coordination server hourly and tests backups at least annually.
Yes. We work with Latacora to conduct regular security audits. These include traditional assessments, but also monitoring, maturity model review, design review and advisory services. On top of that, we also have peer code reviews, automated static analysis checks, and dependency vulnerability scans.
Tailscale’s infrastructure includes the following:
- A client, run on each of a user’s devices. This is available for many platforms including macOS, Windows, Linux, iOS, and Android.
- A coordination server, which distributes public keys and controls settings for the service. Tailscale’s control plane runs on Linux servers in Amazon Web Service (AWS), in AWS Virtual Private Clouds (VPCs). Coordination server data is stored in SQLite and backed up to AWS S3, with analytics stored in Snowflake.
- Designated Encrypted Relay for Packets (DERP) relay servers, which help clients establish end-to-end encrypted connections where they have trouble connecting directly. Tailscale’s DERP relay servers run on Linux servers in multiple regions on multiple infrastructure providers. Learn more about How Tailscale works.
Yes. Tailscale’s coordination server, which distributes public keys and controls settings, is multi-tenant. This only stores customer metadata and public keys, not data or private keys.
Tailscale’s DERP relay servers, which help establish point-to-point connections, are multi-tenant. These only route encrypted customer data, never unencrypted data.
In order to provide the service, Tailscale collects device information, including OS, hardware, public IP addresses, network routing information, information on the installed Tailscale client, and other device settings. Tailscale also uses user account information, such as email addresses, to authenticate users to their accounts.
Tailscale collects customer metadata related to connection attempts, authentication, and routing to help us to monitor and debug networks.
If you opt out of logging, Tailscale may not be able to provide technical support. To learn how to opt out, see Opting out of client logging.
You cannot limit coordination server logs.
Yes. Tailscale has completed a SOC 2 Type II audit covering AICPA’s trust services criteria for security, availability, and confidentiality. Obtain a copy of the report from our compliance page. Note that the report is confidential, and prospective customers will need to contact support and sign an NDA to access the report.
HIPAA defines controls for securing health information.
As Tailscale does not store customer data, only metadata, Tailscale doesn’t have any services in scope for HIPAA. US-based healthcare customers do not need and Tailscale does not execute business associate agreements (BAAs) with our US-based healthcare clients.
Tailscale can be a supporting safeguard for your HIPAA-compliant system to provide integrity and encryption for electronic protected health information transmitted over an electronic communications network (HIPAA 45 CFR § 164.312(e)(1)).
PCI DSS defines controls for securing credit card information.
Tailscale does not store credit card information, and instead uses Stripe to securely process transactions. Stripe is certified to PCI DSS Service Provider Level 1, which is the highest level of security certification available in the payments industry.
As Tailscale does not store customer data, only metadata, Tailscale doesn’t have any services in scope for PCI DSS.
Tailscale can be a supporting safeguard for PCI compliance in your cardholder data environment, to encrypt transmission of cardholder data across open, public networks (PCI requirement 4).
Have a security concern about Tailscale?
Get in touch with our security team at firstname.lastname@example.org to disclose any security vulnerabilities.
Upon discovering a vulnerability, we ask that you act in a way to protect our users' information:
- Inform us as soon as possible.
- Test against fake data and accounts, not our users' information.
- Work with us to close the vulnerability before disclosing it to others.