Our security policies

Tailscale has several security policies in place to properly identify, respond to, and mitigate potential security risks. All employees, vendors and contractors working with Tailscale must follow these policies in order to best protect Tailscale’s and its customers’ data.

We’ve published these publicly for transparency, so that you can see where we are in terms of security maturity. We also hope you use these to adopt similar policies and processes at your organization.

Since these are our internal policies, some links to internal documents or resources are only visible to employees.

Get policies on GitHub →

Security policy ownership

All security policies are owned by the Chief Operating Officer (COO). The Security Review Team (members in Engineering, Product and Operations) are responsible for reviewing the policies.

The Chief Operating Officer and the Security Review Team are responsible for implementing the processes and controls laid out in the security policies, and pulling in other employees as needed.

Schedule

The Chief Operating Officer is responsible for reviewing and updating security policies on a quarterly basis.

List of policies

Personnel policy

See policy →

Risk assessment policy

See policy →

Information classification policy

See policy →

Third party vendor review policy

See policy →

Incident response process

See policy →

Incident disclosure and notification policy

See policy →

Incident response policy

See policy →

BCP/DR policy

See policy →

Access control policy

See policy →

Password policy

See policy →

Change management policy

See policy →

Testing policy

See policy →

Patch management policy

See policy →

Data retention and deletion policy

See policy →