At Tableau, our mission is to help people see and understand their data. In support of this mission, it is vital our customers have confidence in the security of our solutions. Our goal is to continually earn our customers' trust. We do this by leveraging industry standard security solutions and best practices, keeping our customers well informed, and quickly responding to security issues when they arise.
Tableau Online Compliance
Tableau maintains a comprehensive set of IT controls which are regularly audited by independent firms to ensure the company is meeting its compliance obligations. Tableau has worked with a certified public accounting firm to perform an in-depth audit of the control objectives and activities for Tableau Online. The control procedures for the Tableau Online service have been verified in a SOC 2 Type II report prepared in accordance with the attestation standards established by the American Institute of Certified Public Accountants (AICPA) and in accordance with the International Standard on Assurance Engagements (ISAE) No. 3402. Tableau Online is incorporated into Salesforce’s Data Processing Addendum and the scope of Salesforce’s Processor Binding Corporate Rules (BCRs). Salesforce achieved BCR approval in 2010 and provides the highest level of contractual privacy protections in the industry to Tableau customers. Binding Corporate Rules are company-specific data protection policies that are widely viewed as the “gold standard” of EU personal data transfer mechanisms.
Requesting A Report
Tableau's SOC 2 report is made available upon request. If interested, please contact your sales representative.
Tableau's SOC 3 report is available for download here: Tableau SOC 3 Report 03-31-20.
Tableau Security Resources
To help you be better informed of the security features of our products, we've compiled a list of helpful resources.
- Tableau Secure Software Development Whitepaper
- Tableau Online Security Whitepaper
- Cloud Security Alliance Self-Assessment
- Tableau Server Platform Security Whitepaper
- Tableau Server Administrator Guide - Security Section
- User Filters and Row-Level Security
- Obtaining an SSL Certificate for Tableau Server
The Tableau Security team cares deeply about the security of our products and the data that our customers entrust to us. We will thoroughly investigate any reported vulnerability that jeopardizes either. Once a vulnerability is fully investigated and its content addressed, we will work with you to disclose the vulnerability in a way that acknowledges your work and protects our customers.
Please note that this process is for reporting security vulnerabilities in our products. If you have general questions about the security of our products, please see the above security resources section, contact your sales or customer service representative, or visit https://www.tableau.com/about/contact.
How to Report a Vulnerability
To ensure we can quickly evaluate and respond to your vulnerability report as quickly as possible, please ensure it includes the following information:
- Impacted product, with version, build, and OS information if relevant
- Type of vulnerability
- Steps to reproduce
- Evidence supporting the report, e.g. screenshots, console output, etc
To get in touch with us after compiling the above information:
Existing or potential customers
In using or evaluating Tableau, you'll be provided with a designated contact to make sure you have the best experience possible. If you have a vulnerability to report, review the information about what the report should contain and then contact your Tableau pre-sales rep or customer success manager.
Publicly Available Reporting Method
If you believe you've found a security issue with one of our products and are not a Tableau customer, you can send an email to our security alias, firstname.lastname@example.org. If you'd like to encrypt your vulnerability report, you can use our PGP key.
Report Evaluation Process
After reporting a vulnerability, you will receive a response from a human within one business day along with a tracking identifier. All vulnerability reports will remain confidential within Tableau and will only shared internally with those who need to know in order to reproduce and fix the issue.
We ask for your patience while we investigate the report and will keep you updated as frequently as there are updates to share. After the report has been evaluated and a fix has been developed, we will work with you to coordinate disclosure in a reasonable timeframe. For the security of our customers and their information, we ask that you not release information about the vulnerability until we've had an opportunity to address the issue.
All security-related notifications will be announced to our customers via the Security Bulletins community page at https://community.tableau.com/s/security-bulletins. This page also includes information about our response to Internet-wide security vulnerabilities that impact Tableau products, release notes about security bug fixes and disclosed vulnerabilities, and anything else that our customers should know about.