Data Security

SOC2 Compliance

Tarsal has started the vigorous process of becoming SOC2 certified. Knowing we are aiming for that level of compliance we have adopted the following policies and procedures.

Tarsal Security

Tarsal is committed to keeping your data safe by following industry-standard practices for securing physical deployments, setting access policies, and leveraging AWS's security features.

If you have any security concerns with Tarsal, or believe you have discovered a vulnerability, please email us at [email protected].

Securing Your Data

Tarsal connectors operate as the data pipes moving data from point A to point B: extracting data from data sources, normalizing it, and loading it into destination platforms (warehouses, SIEMs, data lakes). As soon as data is transferred from the source to the destination, it is purged from Tarsal.

Sensitive Data

Because Tarsal is not aware of the data being transferred, users are required to follow the Terms of Service and are responsible for ensuring their data transfer is compliant within their jurisdiction.

For more information, see Tarsal’s Privacy Policy

Data Storage

Tarsal stores the following data:

Technical Logs

Technical logs are stored for troubleshooting purposes and may contain sensitive data based on the connection’s state data. If your connection is set to incrementally sync, users choose which column is the cursor for their connection. We strongly recommend setting the cursor to a timestamp like an updated_at column, but users can choose any column they want.


Tarsal retains configuration details and metadata such as table and column names for each connection.

Securing Tarsal

Tarsal adheres to least-privilege access policies to ensure data security.

Credential Management

Most Tarsal connectors require keys, secrets, or passwords to continually sync without prompting the user for credentials. Tarsal fetches credentials using HTTPS and stores them in AWS’s Secrets Manager. When persisting connector configurations to disk or the database, we store a version of the configuration that points to the secret in AWS Secret Manager, instead of the secret itself, to limit the parts of the system interacting with secrets.


Since Tarsal only transfers data from source to destination and purges the data after the transfer is finished, data in transit is encrypted with TLS, and no in-store encryption is required for the data. Tarsal does store customer metadata and encrypts it using AES-256-bit encryption keys

All Tarsal connectors pull data through encrypted channels (SSL, SSH tunnel, HTTPS), and the data transfer between our clients' infrastructure and Tarsal infrastructure is fully encrypted.