Security annual review and update

README.md

@@ -8,7 +8,7 @@ _Since these are our internal policies, some links to internal documents or reso
 
 This repository is the source of truth for the policies available at https://tailscale.com/security-policies/.
 
-These policies were last reviewed on 2025-04-07.
+These policies were last reviewed on 2026-01-12.
 
 ### FAQ
 

access-control/index.md

@@ -7,6 +7,8 @@ weight: 7
 last_updated: 2025-04-07
 ---
 
+### Purpose
+
 Tailscale limits access control based on job requirements, following the principle of least privilege.
 
 ### Scope
@@ -15,26 +17,34 @@ This policy applies to Tailscale’s internal systems, including its production
 
 This policy applies throughout the entire lifecycle of employee, contractor, or vendor access, from onboarding of new individuals who need access, to the removal of existing individuals who no longer need access.
 
-### Access to internal systems
+### Policy
+
+#### Access to internal systems
 
 Where possible, access policies are enforced by technical measures.
 
-Tailscale should implement monitoring on its systems where possible, to record logon attempts and failures, successful logons and date and time of logon and logoff. Activities performed as administrator are logged where it is feasible to do so. 
+Tailscale must implement monitoring on its systems where possible, to record logon attempts and failures, successful logons and date and time of logon and logoff. Activities performed as administrator are logged where it is feasible to do so.
+
+Personnel that require access to systems must submit a ticket for review and approval by a manager or a member of the Security Team to provision access.
 
-Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks. 
+Personnel who have administrative system access must use other less powerful accounts for performing non-administrative tasks. 
 
 Where possible, more than one person must have full rights to any critical piece of infrastructure serving or storing production services or customer data.
 
-### Granular access controls
+#### Granular access controls
 
-Tailscale systems must have sufficient granularity to allow appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. Tailscale recognizes that balance.
+Tailscale systems must have sufficient granularity to allow appropriate authorized access and all access requests require approval from the Security team. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. Tailscale recognizes that balance.
 
-### End user devices
+#### End user devices
 
 Employees, contractors, and vendors are responsible for safe handling and storage of Tailscale-provided end user devices. If a device is lost or stolen, the loss must be immediately reported as an incident.
 
-### Changing roles or responsibilities
+#### Changing roles or responsibilities
 
 Terminated employees must have their accounts disabled within 1 business day of transfer or termination.
 
 Transferred employee access is reviewed and adjusted as found necessary. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews are conducted by the Security Review Team.
+
+### Roles and responsibilities
+
+Tailscale’s Security team is responsible for administering access to systems and reviewing and updating the Access Control process on an annual basis.

bcp-dr/index.md

@@ -7,20 +7,20 @@ weight: 6
 last_updated: 2025-04-07
 ---
 
-### Context
+### Purpose
 
 Tailscale’s customers are dependent on our services operating as normal. Proper planning, monitoring, and recovery steps are critical to address incidents that may impact the integrity or availability of services and data is critical to the operation of Tailscale. Business Continuity and Disaster Recovery is a set of processes and techniques used to help an organization recover from a disaster and resume routine business operations.
 
 ### Scope
 
 The following minimum standards apply to Tailscale’s assets as managed by employees, contractors and vendors. These include but are not limited to: cloud service providers, cloud regions, major components within cloud regions, key vendors (those included in our [vendor assessment](/security-policies/vendor/), and key open-source components.
 
-### Schedule
+### Policy
 
 Tailscale reviews its backups, and any BCP/DR plans annually with a walkthrough exercise. Tailscale tests its ability to restore production data at least annually.
 
 
-### Backups
+#### Backups
 
 Tailscale regularly reviews backups and service redundancy to ensure they can be used in the event of an outage. The Security Review Team:
 
@@ -29,10 +29,16 @@ Tailscale regularly reviews backups and service redundancy to ensure they can be
 * Reviews proposed and existing architecture plans for resiliency
 * Implements monitoring tools to detect potential continuity issues for key services
 
-### Outage detection
+#### Outage detection
 
 An incident could be detected internally by monitoring tools, by an employee in their course of work, or reported by a third party including customers.
 
-### Outage response and remediation
+#### Outage response and remediation
 
-If a suspected outage or other business continuity incident is detected, it should be responded to following the [Incident response process](/security-policies/incident-response-process).
+If a suspected outage or other business continuity incident is detected, it must be responded to following the [Incident response process](/security-policies/incident-response-process).
+
+### Roles and responsibilities
+
+Tailscale’s Security team is responsible for conducting tests and reviewing and updating the BCP/DR process on an annual basis.
+
+All departments have processes in place to continue business during an interruption.

change-management/index.md

@@ -7,9 +7,15 @@ weight: 9
 last_updated: 2025-04-07
 ---
 
+### Purpose
+
 To avoid potential security incidents, Tailscale requires change management controls to ensure only authorized changes are made to its environment and processes.
 
-### Environment
+### Scope
+
+This policy applies to code, infrastructure, and customer account changes.
+
+### Policy
 
 #### Code changes
 
@@ -31,16 +37,14 @@ Documentation can be updated without requiring a separate reviewer.
 
 #### Infrastructure changes
 
-Employees should notify others prior to making changes to Tailscale’s infrastructure, e.g., over Slack. Where infrastructure is codified and uses a deployment tool, infrastructure changes should be approved by another employee prior to being deployed.
+Employees must notify others prior to making changes to Tailscale’s infrastructure, e.g., over Slack. Where infrastructure is codified and uses a deployment tool, infrastructure changes must be approved by another employee prior to being deployed.
 
 #### Customer accounts
 
 Tailscale may make changes to customers’ networks and accounts in Tailscale at their request. Changes are initiated by customer support tickets.
 
 Tailscale may also make changes to customer environments without the customer initiating the request, such as when required by law or due to an urgent security issue.
 
-### Security policies
-
-Security policies must have a change log to allow auditing of past changes, including when and by whom these changes were made. Tailscale stores these security policies in GitHub and uses git to track changes.
+### Roles and responsibilities
 
-Tailscale will review and evaluate its security policies, adapt them as needed due to changing risks, and validate if the implemented information security continuity controls are sufficient on an annual basis.
+Tailscale’s Security Review team is responsible for reviewing and updating the Change Management policy requirements on an annual basis.

data-retention-deletion/index.md

@@ -7,17 +7,21 @@ weight: 12
 last_updated: 2025-04-23
 ---
 
-Tailscale must retain and process certain kinds of customer and user data to deliver the Tailscale Solution and to comply with our customer commitments and legal requirements. At the same time, Tailscale wants to avoid retaining data for longer than is necessary.
+### Purpose
+
+Tailscale must retain certain kinds of data for a minimum amount of time, to comply with legal requirements. At the same time, Tailscale wants to avoid retaining any identifiable data for longer than is necessary, in case of a breach.
 
 ### Scope
 
 This policy applies to the data assets associated with customer accounts that are processed by Tailscale in connection with providing the Tailscale Solution.
 
-### Schedule
+### Policy
+
+#### Schedule
 
-Tailscale should review the data it retains as part of reviewing its data register at least annually.
+Tailscale must review the data it retains as part of reviewing its data register quarterly.
 
-### Retention period
+#### Retention period
 
 Data subject to this policy will be retained for a set period of time, depending on the type of data:
 
@@ -62,16 +66,21 @@ Data subject to this policy will be retained for a set period of time, depending
 
 \*Tailscale acts as the data processor for this information pursuant to our DPA. In all other cases, Tailscale acts as the data controller.
 
-Where not specified, customer data will be retained no longer than is needed to provide the service, and anonymized or deleted afterwards.
+Where not specified, customer data must be retained no longer than is needed to provide the service, and anonymized or deleted afterwards.
+
+#### Privacy Policy
 
-### Privacy Policy
+Tailscale must delete customer data in accordance with the commitments, if any, made in [Tailscale’s Privacy Policy](/privacy-policy/). If the privacy policy is updated, the above retention periods must also be updated to reflect any changes.
 
+#### Deletion method
+
+Data may be destroyed by overwriting on disk, deleting a cloud resource, encrypting and destroying the key, resetting a device, and/or physical destruction.
 Tailscale will delete personal data pursuant to individual data subject requests in accordance with applicable data privacy laws as set forth in our [Privacy Policy](/privacy-policy/).
 
 ### Suspension
 
 Tailscale may suspend routine deletion of customer data if required for security forensic analysis purposes or a legal hold involving such data. Legal holds may be issued, for example, in connection with an active, imminent, threatened or reasonably anticipated investigation, litigation, arbitration, subpoena, financial transaction, or other legal matter.
 
-### Deletion method
+### Roles and responsibilities
 
-Data may be destroyed by overwriting on disk, deleting a cloud resource, encrypting and destroying the key, resetting a device, and/or physical destruction.
+Tailscale’s Security Review team is responsible for reviewing and updating the Data Retention policy requirements on an annual basis.

incident-disclosure/index.md

@@ -7,15 +7,21 @@ weight: 5
 last_updated: 2025-04-07
 ---
 
+### Purpose
+
 This policy specifies when and how we notify users about security incidents.
 
+### Scope
+
 Both the client software and our managed backend infrastructure (i.e. coordination server) are in scope for this policy.
 
+### Policy
+
 For incidents that fall under any legal disclosure requirements (such as [California’s Data Security Breach Reporting](https://oag.ca.gov/privacy/databreach/reporting)), those requirements will take precedence over this policy.
 
 By “notify” here we mean explicitly contacting users in addition to regular release notes in the [changelog](https://tailscale.com/changelog/) and GitHub commit history. For example, you may read about minor vulnerability patches in release notes, but we may not notify users via a dedicated security bulletin.
 
-### When we notify users
+#### When we notify users
 
 Generally, we aim to reduce noise and only notify users for actionable incidents. Tailscale does not notify users for routine security patching of dependencies. We also don’t notify users for vulnerabilities in our software, if we confirm the vulnerability was not exploited and no users were affected.
 
@@ -37,3 +43,7 @@ To disclose security vulnerabilities, Tailscale publishes security bulletins pub
 To notify users about security vulnerabilities, Tailscale will **email** affected tailnets’ administrators, with information specific to the tailnet, including specific users or nodes which are affected. These emails will be sent to the [security contact](https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email) for the tailnet, which by default is the Owner of the tailnet.
 
 Occasionally, Tailscale may decide to notify users in additional ways about a security issue, such as by publishing a [blog post](https://tailscale.com/blog/), or with in-product notifications (such as by putting a warning banner in the admin console).
+
+### Roles and responsibilities
+
+Tailscale’s Security Review team is responsible for sending notifications for incidents. The Security team is responsible for reviewing and updating this policy  on an annual basis.

incident-response-policy/index.md

@@ -7,27 +7,32 @@ weight: 5
 last_updated: 2025-04-07
 ---
 
-### Context
+### Purpose
 
 Tailscale’s customers are dependent on our services operating as normal. Proper detection and response to incidents that may impact the integrity, confidentiality or availability of services and data is critical to the operation of Tailscale.
 
+### Scope
+
 The following minimum standards apply to Tailscale’s assets as managed by employees, contractors and vendors. These recommendations represent the recommended minimum efforts necessary for incident detection and response.
 
-### Incident detection
+### Policy
+
+#### Incident detection
 
-An incident could be detected internally by an employee in their course of work, by an employee or vendor doing a review of Tailscale’s security posture, or an external third party reporting a potential vulnerability to us.
+An incident could be detected by automated alerting, internally by an employee in their course of work, by an employee or vendor doing a review of Tailscale’s security posture, or an external third party reporting a potential vulnerability to us.
 
-If you see something, say something. All Tailscale employees should immediately report suspected security incidents or suspicious activity that occurs at Tailscale, including but not limited to security incidents, physical injury, theft, property damage, denial of service attacks, threats, harassment, abuse of individual user accounts, forgery and misrepresentation. Suspicious activity can be reported to the Slack channel #incident-response, or, for potentially sensitive incidents, to the Security Review Team or to the Chief Operating Officer (COO). Violations of the [Code of Conduct](http://go/code-of-conduct) should be reported to the Chief Operating Officer (COO).
+If you see something, say something. All Tailscale employees must immediately report suspected security incidents or suspicious activity that occurs at Tailscale, including but not limited to security incidents, physical injury, theft, property damage, denial of service attacks, threats, harassment, abuse of individual user accounts, forgery and misrepresentation. Suspicious activity can be reported to the Slack channel #incident-response, or, for potentially sensitive incidents, to the Security Review Team or to the Chief Operating Officer (COO). Violations of the [Code of Conduct](http://go/code-of-conduct) must be reported to the Chief Operating Officer (COO).
 
-All employees should watch for potentially suspicious activities, including:
+All employees much watch for potentially suspicious activities, including:
 
 * Warnings from antivirus tools
 * Unexpected system reboots and/or sudden degradation of system performance
 * Password reset notifications
 * Modification or defacement of websites
 * New open network ports on a system
+* Multi-factor authentication prompts
 
-Tailscale regularly reviews logs to detect and track attempted intrusions and other suspicious activity. These include git, cloud, networking, SaaS tool, and other infrastructure logs.
+Tailscale regularly reviews logs to detect and track attempted intrusions and other suspicious activity. These include git, cloud, networking, SaaS tools, and other infrastructure logs.
 
 The Security Review Team:
 
@@ -41,8 +46,11 @@ Tailscale’s Security Review Team reviews and responds to potential third-party
 
 ### Incident response and remediation
 
-If a suspected incident is detected, it should be responded to following the [Incident response process](/security-policies/incident-response-process/).
+If a suspected incident is detected, it must be responded to following the [Incident response process](/security-policies/incident-response-process/).
 
 We respond to reported incidents, and resolve and determine impact as soon as possible. We aim to remediate incidents as soon as possible.
 
 Confirmed incidents may be disclosed publicly per our [disclosure policy](/security-policies/incident-disclosure/).
+
+### Roles and responsibilities
+Tailscale’s Security Review team is responsible for handling potential security incidents. The Security team is responsible for reviewing and updating this policy  on an annual basis.