Security

Security at Tidra

Security is of paramount importance at Tidra. Our systems were built with security from inception, leveraging our team's extensive experience building and managing cloud-based systems for large enterprises. Below is an outline of our security practices and architecture.

SOC 2

Tidra maintains SOC 2 Type II certification, utilizing enterprise-grade practices and working with independent auditors to validate our security posture.

SOC 2 Report

We work with independent auditors to maintain our SOC 2 report. This report certifies controls that ensure the security, availability, and processing integrity of information and systems, as well as the confidentiality and privacy of the data they process. The Trust Services Criteria, developed by the AICPA's Assurance Services Executive Committee, provides the evaluation framework. Reports are available upon request.

Product Security

Encryption and Hashing

  • All data is encrypted in transit using TLS with strong cipher suites
  • All data is encrypted at rest using AES-256-GCM
  • Encryption keys are managed through AWS Key Management Service (KMS)
  • User passwords are salted and hashed using bcrypt
  • API tokens are hashed using bcrypt and never stored in plaintext
  • Third-party service tokens (e.g., GitHub, GitLab, Slack) are encrypted using AES-256-GCM

Tenant Isolation

Multi-tenant datastores use unique tenant tokens to ensure strict logical segregation of customer data. All processing validates tenant tokens against authentication and access control information.

Threat Modeling

We incorporate threat modeling throughout our design and implementation processes using industry-standard methodologies including STRIDE, PASTA, Persona non Grata, Attack Trees, and CVSS scoring.

Vulnerability Management

Automated scanning covers all libraries and components. Engineering leadership conducts biweekly reviews of operational health, including vulnerability triage. Patches follow criticality-based SLAs and are deployed via continuous deployment.

SSO and SAML

Tidra supports SAML for user authentication, integrating with various identity providers and enabling direct access control. SAML-initiated provisioning can work alongside or replace username/password authentication.

AI Security & Data Protection

Tidra uses AI to power its code maintenance capabilities. We are committed to transparency about how we use AI and how your data is protected throughout the process.

Large Language Model Providers

Tidra utilizes large language models (LLMs) hosted by enterprise-grade organizations such as OpenAI and Anthropic. We carefully evaluate and select LLM providers that meet our quality, performance, security, and data protection requirements.

How Tidra Uses Your Code

Tidra utilizes Transient Scanning to generate insights and code changes. When processing your repository content, Tidra operates within a temporary, secure execution environment. Only the essential context required for the request is extracted, and source code is immediately purged afterwards.

Tidra does not permanently store your proprietary source code in our databases.

Any AI-driven feature that interacts with your repository does so within this transient process, using only the relevant subset of data necessary to achieve the specific functional objective. In some cases, limited artifacts are generated and stored — such as code change diffs for maintenance tasks — but never the full source code.

Model Training

Tidra and its AI Subprocessors do not use Customer Data to train any models. We have contractual agreements in place with our AI Subprocessors that prohibit the use of your source code, repository data, or metadata to train, evaluate, or improve their models.

Data Retention by AI Providers

Our enterprise LLM providers utilize Zero Data Retention (ZDR) APIs. This means that any prompts or context sent to the LLM, and the generated responses, are not retained by the provider after the request is fulfilled.

AI Controls

Tidra AI is an opt-in capability designed with enterprise governance in mind. Administrators maintain control through:

  • Global Toggles: Workspace owners can turn AI features on or off at the organizational level.
  • Targeted Scoping: Administrators can restrict AI scanning to specific repositories, ensuring that highly sensitive repositories are entirely excluded from automated AI inference.

Ownership of AI-Generated Content

Customers retain ownership of their input (repository data) and the generated output (code changes, pull requests) produced by Tidra and our subprocessors.

Operational Security

Access to Customer Data

We enforce the principles of least privilege and need-to-know, limiting access to those with a business requirement. Separate production and staging environments are maintained, with authentication, authorization, and MFA required for production access. Data extraction is prohibited except for customer support requests.

Monitoring and Alerting

Production systems use open-source and commercial tools for security event monitoring. Centralized logging covers API calls, system calls, and authentication failures. Custom rule systems identify anomalous or malicious behavior. A 24/7 on-call team trained in incident handling maintains service ownership.

Data Centers and Physical Security

All infrastructure is hosted on AWS; Tidra maintains no physical servers. AWS data centers hold SOC 1 & 2 and ISO certifications with biometric access, video surveillance, intrusion detection, and two-factor authentication requirements.

Security Training and Awareness

All employees and contractors receive security awareness training during onboarding and annually thereafter. Developers receive additional instruction on secure coding practices (OWASP Top 10). Training is tracked and monitored.

Change Management

Development follows Agile principles with security integrated throughout. Continuous integration employs thousands of automated tests. All code requires peer and management review before production deployment. Infrastructure-as-code uses version control; all changes are logged with authorship, reviewer, and timestamp.

Incident Management

We monitor production systems and maintain 24/7 on-call response. Severity is classified by customer impact and duration, with formal post-mortems and action items after resolution.

Hiring Practices

Pre-employment screening includes employment verification, references, visa verification, and criminal background checks. All personnel sign confidentiality agreements. Device security requires full-disk encryption and strong credentials.

Policies

Tidra maintains internal documentation that is updated regularly and reviewed annually:

  • Device Security and Encryption Policy
  • Data Classification Policy
  • Data Storage and Privacy Policy
  • Third Party Integration Access Requirements
  • Secure Coding Guidelines

Tidra's security posture is documented and monitored and can be requested by contacting us at [email protected].