Turbot Security

Ensuring our product meets the robust data security needs of our customers is a top priority at Turbot; it is vital our customers have confidence in the security of our solutions. Our goal is to continually earn our customer's trust. We do this by leveraging industry standard security solutions and best practices. We are continuously iterating on our processes and product with the latest security features to stay ahead of the ever-changing and evolving security best practices and enterprise customer requirements. Our commitment to meet and exceed these data security, privacy and compliance needs of our customers is core to our business and a shared value across our employees. If you have any security, compliance or privacy questions, please contact us at security@turbot.com.

Service Organization Control (SOC)

Deep external audit which closely examines our company's information systems, processes and policies managing services to ensure they meet five principles of trust established by the American Institute of CPAs (AICPA): security, availability, processing integrity, confidentiality, and privacy. SOC certification is awarded to businesses who demonstrate their ability to meet the institute's high standards in each of those categories audited by a AICPA-certified third party auditor. Our auditors perform our SOC audits annually each April. The auditors prepare their audit report which is then released each May. Under NDA, to request a copy of Turbot's SOC2 report, please contact your Account Lead or email security+soc@turbot.com.

SOC 2 Type 2

For Turbot Guardrails and Turbot Pipes, Turbot has completed a SOC 2 Type II to validate our information security system controls.

SOC 3

Turbot maintains a SOC 3 report which is the public, summarized version of the SOC 2 report. You can download the latest report here.

Center for Internet Security (CIS) Benchmark Certification

Turbot has been recognized as a Center for Internet Security (CIS) SecureSuite member, receiving a CIS Benchmark Certification for our Turbot Guardrails Cloud and Turbot Enterprise (Turbot Guardrails Enterprise) software. Turbot obtained our CIS Benchmark Certification by using our own software to prove the requirements for the Certification.

General Data Protection Regulation (GDPR)

We firmly support GDPR in both practice and philosophy. We work with our customers in the European Economic Area to assure compliance with personal data handling requirements and cross-border transfer requirements under GDPR guidelines. As a processor, we process data on behalf of our customers. We expect that some of our customers will require us to enter into a data processing addendum ("DPA"), per Article 28 of GDPR. Turbot uses several subprocessors, but the majority of our obligations hinge on our primary subprocessors: Amazon Web Services (AWS) and Google Cloud Platform (GCP). More information is in our privacy policy.

California Consumer Privacy Act (CPRA)

Turbot will support any removal request from any state/country as long as it is valid and made by a qualified party. Please email us at privacy@turbot.com for any requests.

Data Privacy Framework (formally Privacy Shield)

Turbot participates in, and complies with, the EU-U.S. Data Privacy Framework Principles, UK Extension to the EU-U.S. Data Privacy Framework Principles, and Swiss-U.S. Data Privacy Framework (DPF) Principles as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. For more information about the DPF program, and to view Turbot's certification, please review our privacy policy and visit Data Privacy Framework.

Responsible Disclosure

We appreciate the efforts of security researchers who help improve the security of our services. If you believe you have discovered a potential vulnerability, please notify us by emailing security@turbot.com. We will acknowledge your report within one week and work with you to resolve critical issues as quickly as possible.

Please follow these guidelines when reporting:

  • Provide us a reasonable time to address the issue before public disclosure.
  • Avoid actions that could compromise user privacy, disrupt services, or destroy data.
  • Do not engage in denial-of-service attacks, social engineering, or attacks on physical or virtual infrastructure.

Please note that we do not accept reports for vulnerabilities solely affecting our marketing website (https://www.turbot.com), as it contains no sensitive data.

At this time, Turbot does not offer a monetary incentive or bug bounty program. However, we appreciate responsible reports and will work collaboratively to address security concerns. Thank you for helping keep Turbot and our users secure!

If you have any security, compliance or privacy questions, please contact us at security@turbot.com.