Security

Tableau maintains a comprehensive set of IT controls which are regularly audited by independent firms to ensure the company is meeting its compliance obligations. Tableau is in compliance with Sarbanes Oxley and has worked with a certified public accounting firm to perform an in-depth audit of the control objectives and activities for Tableau Online. The control procedures for the Tableau Online service have been verified in a SOC 2 Type II report prepared in accordance with AT Section 101, reporting on controls at a service organization relevant to security and availability and the International Standard on Assurance Engagements (ISAE) No. 3402. Tableau Software, Inc., has certified with the Department of Commerce to participate in the EU-U.S. Privacy Shield Framework (the “Privacy Shield”). Our certification can be found here. For more information about the Privacy Shield please visit, http://www.privacyshield.gov.

Sarbanes-Oxley (SOX)

Service Organization Control (SOC) 2 Report

EU-US Privacy Shield

Requesting A Report

Tableau's SOC 2 report is made available upon request. If interested, please contact your sales representative.

Tableau's SOC 3 report is available for download here: Tableau SOC 3 - July 2018

The Tableau Security team cares deeply about the security of our products and the data that our customers entrust to us. We will thoroughly investigate any reported vulnerability that jeopardizes either. Once a vulnerability is fully investigated and its content addressed, we will work with you to disclose the vulnerability in a way that acknowledges your work and protects our customers.

Please note that this process is for reporting security vulnerabilities in our products. If you have general questions about the security of our products, please see the above security resources section, contact your sales or customer service representative, or visit https://www.tableau.com/about/contact.

How to Report a Vulnerability

To ensure we can quickly evaluate and respond to your vulnerability report as quickly as possible, please ensure it includes the following information:

• Impacted product, with version, build, and OS information if relevant
• Type of vulnerability
• Steps to reproduce
• Evidence supporting the report, e.g. screenshots, console output, etc

To get in touch with us after compiling the above information:

Existing or potential customers

In using or evaluating Tableau, you'll be provided with a designated contact to make sure you have the best experience possible. If you have a vulnerability to report, review the information about what the report should contain and then contact your Tableau pre-sales rep or customer success manager.

Publicly Available Reporting Method

If you believe you've found a security issue with one of our products and are not a Tableau customer, you can send an email to our security alias, security@tableau.com. If you'd like to encrypt your vulnerability report, you can use our PGP key.

Report Evaluation Process

After reporting a vulnerability, you will receive a response from a human within one business day along with a tracking identifier. All vulnerability reports will remain confidential within Tableau and will only shared internally with those who need to know in order to reproduce and fix the issue.

We ask for your patience while we investigate the report and will keep you updated as frequently as there are updates to share. After the report has been evaluated and a fix has been developed, we will work with you to coordinate disclosure in a reasonable timeframe. For the security of our customers and their information, we ask that you not release information about the vulnerability until we've had an opportunity to address the issue.