At Tableau, our mission is to help people see and understand their data. In support of this mission, it is vital our customers have confidence in the security of our solutions. Our goal is to continually earn our customers' trust. We do this by leveraging industry-standard security solutions and best practices, keeping our customers well informed and quickly responding to security issues when they arise.
Tableau maintains a comprehensive set of IT controls which are regularly audited by independent firms to ensure the company is meeting its compliance obligations. Tableau is in compliance with Sarbanes Oxley and has worked with a certified public accounting firm to perform an in-depth audit of the control objectives and activities for Tableau Online. The control procedures for the Tableau Online service have been verified in a SOC 2 Type II report prepared in accordance with AT Section 101, reporting on controls at a service organisation relevant to security and availability and the International Standard on Assurance Engagements (ISAE) No. 3402. Tableau Software, Inc., has been certified with the US Department of Commerce to participate in the EU-US Privacy Shield Framework (the “Privacy Shield”). Our certification can be found here. For more information about the Privacy Shield please visit, http://www.privacyshield.gov.
Requesting a report
Tableau's SOC 2 report is made available upon request. If interested, please contact your sales representative.
Tableau's SOC 3 report is available for download here: Tableau SOC 3 – July 2018
Tableau security resources
To help you be better informed of the security features of our products, we've compiled a list of helpful resources.
- Tableau secure software development white paper
- Tableau Online security whitepaper
- Cloud Security Alliance self-assessment
- Tableau Server platform security white paper
- Tableau Server Administrator Guide – Security section
- User filters and row-level security
- Obtaining an SSL certificate for Tableau Server
The Tableau security team care deeply about the security of our products and the data that our customers entrust to us. We will thoroughly investigate any reported vulnerability that jeopardises either. Once a vulnerability is fully investigated and its content addressed, we will work with you to disclose the vulnerability in a way that acknowledges your work and protects our customers.
Please note that this process is for reporting security vulnerabilities in our products. If you have general questions about the security of our products, please see the above security resources section, contact your sales or customer service representative, or visit https://www.tableau.com/en-gb/about/contact.
How to report a vulnerability
To ensure we can evaluate and respond to your vulnerability report as quickly as possible, please ensure that it includes the following information:
- Impacted product, with version, build and OS information if relevant
- Type of vulnerability
- Steps to reproduce
- Evidence supporting the report, e.g. screenshots, console output, etc
To get in touch with us after compiling the above information:
Existing or potential customers
In using or evaluating Tableau, you'll be provided with a designated contact to make sure you have the best experience possible. If you have a vulnerability to report, please review the information about what the report should contain and then contact your Tableau pre-sales rep or customer success manager.
Publicly available reporting method
If you believe you've found a security issue with one of our products and are not a Tableau customer, you can send an email to our security alias, email@example.com. If you'd like to encrypt your vulnerability report, you can use our PGP key.
Report evaluation process
After reporting a vulnerability, you will receive a response from a human within one business day along with a tracking identifier. All vulnerability reports will remain confidential within Tableau and will only be shared internally with those who need to know in order to reproduce and fix the issue.
We ask for your patience while we investigate the report and will keep you updated as frequently as there are updates to share. After the report has been evaluated and a fix has been developed, we will work with you to coordinate disclosure within a reasonable timeframe. For the security of our customers and their information, we ask that you not release information about the vulnerability until we've had an opportunity to address the issue.
All security-related notifications will be announced to our customers via the Security Bulletins community page at https://community.tableau.com/s/security-bulletins. This page also includes information about our response to Internet-wide security vulnerabilities that impact Tableau products, release notes about security bug fixes and disclosed vulnerabilities, and anything else that our customers should know about.