Third party vendor review policy

Tailscale reviews vendor security practices before contracting, and on a regular basis, to ensure vendors properly handle Tailscale’s customer data, confidential data, and other data.

Scope

This policy only applies to vendors or contractors handling Tailscale or its customers’ data.

Schedule

Vendors’ security practices should be initially evaluated as part of their contract review, and while still in use, on an annual basis.

Contractors must read and acknowledge Tailscale’s security policies as part of their onboarding. Contractors must complete Tailscale’s information security training as part of their onboarding and thereafter, while still under contract, on an annual basis.

Vendor assessment

As part of vendor evaluation and contracting, vendors’ security practices should be reviewed to ensure they sufficiently protect Tailscale’s and its customers’ data.

The requirements for a vendor may change based on the risk classification of the assets they are handling (see the Information classification policy), such as sensitive data, or access to production resources; and may change during a contract if a vendor’s scope or responsibilities change.

Tailscale will:

  1. Ask vendors for their SOC 2 type II or type I report for an overview of their current security practices. If a SOC 2 report does not exist or where insufficient information is provided, Tailscale will ask the vendor to complete the VSAQ.
  2. Review the vendor’s responses and compare these to Tailscale’s security policies to identify any gaps where the vendor may have weaker policies.
  3. For each notable gap or where insufficient information is provided, Tailscale can: ask the vendor to make a change or provide additional information, implement a mitigating control, or accept the risk. These should be documented in the risk register.

Tailscale will document vendor information, to help in case of a potential incident. This information includes:

  • Vendor name, i.e. Which vendor?
  • Vendor contact information, i.e. How do we contact the vendor? List different contacts for billing, support, and/or security where they apply.
  • Type of data shared, i.e. What types of data from Tailscale does the vendor collect or otherwise have access to?
  • Security report or questionnaire shared by the vendor