Tigerhall Compliance
Last updated: March 2, 2026
BASIC DATA INFORMATION
Question | Response |
Data Points Shared |
|
Data Host Information |
|
How many people have access to AWS |
|
Volume of Data Records |
|
What encryption algorithms are used to encrypt data at rest? | AES256 |
Are any of your systems hosted in data center facilities that your organization does not own or lease? | AWS |
Please describe the responsibilities of your infrastructure provider and how you ensure their physical access security and environmental controls are sufficient. | AWS puts in place relevant measures to protect the data. We review their SOC TYPE II Report yearly to ensure all their controls are in place |
Does your company implement a network zoning concept that separates systems by function, value, and risk level (Example: VLAN, Subnetting, SGTs, Zero Trust) ? | Yes. All internal systems are deployed to private subnets not accessible from the WAN |
Does your company currently have any B2B VPN Tunnel, Direct Connect, Express Route, Cloud Interconnect network connections with any other entity that is not your own company (Example: Vendors, MSSP)? | No. |
What are the key differences between your production and non-production environments? Please address all of the relevant domains included in this questionnaire (e.g. authentication differences, contingency planning differences, physical security difference). | The same policies and procedures apply to Tigerhall’s production & non-production environments as they are almost identical. The major differentiator between the environments are the endpoints used to access them (different domains are used) and the amount of resources behind the different environments. |
In-scope systems | AWS, Elastic Cloud, Neo4j & DataDog |
SECURITY
Security Patches |
|
Security/ Compliance Programs we follow |
|
Security Breach |
|
PASSWORDS & ACCOUNTS
Questions | Answers |
Are authenticators such as username and password distributed independently of one another? | Not applicable due to SSO |
Are stored passwords to the solution environment protected from unauthorized disclosure or modification (e.g. are they hashed, are the hashes encrypted and is access to the password file restricted)? | Not applicable due to SSO |
Does authentication to the solution environment use strong cryptography to render all authentication credentials unreadable during transmission and storage on all system components? | Yes Encryption in transit: Sensitive & Confidential Data transfers must be sent via a secure transfer system, such as TLS or SFTP. Encryption at rest: All Tigerhall servers, workstations, and laptops must use disk encryption meeting FIPS 140-2 encryption standards (ex. AES 256). |
Do access accounts to the solution environment have a unique identifier associated with a single resource?If not, please explain why accounts are shared or not unique. | Yes. |
Are generic accounts in the solution environment disabled or removed? If not, please explain what generic accounts are used and why. | Yes. We don’t allow shared accounts. |
Are passwords for default system accounts changed after installation? | NA. |
CONNECTIONS
Questions | Answers |
What connections does Tigerhall support? | Tigerhall is integrated with Fivetran, enabling connections to a client’s ecosystem of tools across CRM, ERP, HRIS, and data lakes. It supports 500+ platforms, including SAP, Workday, Okta, Salesforce, Oracle, Microsoft and many more. Explore all integrations here. |
Does Tigerhall require connections to a client’s system or another SaaS provider engaged by or contracted with the client? | Mandatory - SSO, Directory Sync Optional (up to client) - Microsoft Teams Suggestion: Yes, Tigerhall requires SSO and directory sync as mandatory connections. There is also an optional Microsoft Teams integration. |
Does Tigerhall support SAML 2.0 and the implementation of centralized authentication solutions, such as MyID? | Yes, Tigerhall supports all SAML and openID connect protocols. |
AI Solutions in Tigerhall
Questions | Answers |
Which areas of the Tigerhall Solution use AI? | Content recommendation, translation, AI Creator Studio transcriptions, and NLP-based searches. |
Is client data used for training models? | Tigerhall does not train AI models. |
Will client data be | Client Business Data will be used if the client requests that we translate, transcribe or use vector or NLP based searches. |
How is transparency ensured in AI decision-making? Are the results audited? | Tigerhall does not use AI decision-making. |
What AI Systems does Tigerhall use? | AWS Services
Azure Services
All AI systems used by Tigerhall are not allowed to train or improve upon their models with the input data. |
Please identify any existing agreements between client and the Licensor or terms and conditions potentially applicable to client’s intended use of the AI System of which you are aware. Suggestion: Are there existing agreements or terms and conditions that are potentially applicable to the client's intended use of the AI system? | Standard Enterprise Agreements with AWS and Microsoft are in place to ensure provided data will not be used for additional training purposes. |
How will you ensure that the AI does not displace human responsibility and accountability? | All outputs are displayed for verifications by a human. |
Will the client’s employees use the AI System directly or will a third party/parties (e.g., subcontractors) use the AI System for the client? | Directly |
Will client’s confidential information (other than Business Data) (i) will be used as an input in, (ii) has been used in connection with training, or (iii) otherwise will be shared with the AI System? | No |
Is it anticipated that any Personally Identifiable Information (i) will be used as an input in, (ii) has been used in connection with training, or (iii) otherwise will be shared with the AI System? | No |
Other than what has been identified above, has any of the client’s Content, Business Data, confidential information, or Personally Identifiable Information been used, or will it be used, to train the Licensor’s foundational (i.e., “off-the-shelf”) mode? | No |
Data Deletion & Retention
Question | Answer |
What is your process for deleting all client data upon contract termination? | All user data is deleted upon request. This includes deletion of uploaded content,user records and anonymization of analytics data. |
How soon will data be deleted from live systems and backups? | Data is deleted from live systems immediately upon request. Backups are retained for 30 days, after which they are automatically purged. |
Can you provide written confirmation or a certificate of data destruction once deletion is complete? | We can provide screenshots or a recording of the CLI process showing user account deletion |
Will any Client data be retained in anonymized form for analytics or internal use? | Yes, anonymized data may be retained for internal analytics purposes. |
What steps are taken to ensure that anonymized data cannot be re-identified? | All analytics data is anonymized at the time of deletion. Re-identification is not possible after the 30-day backup expiry, as no user-level identifiers are retained beyond that. |
How is Client data handled in your backup systems? | Data is retained in AWS Backup for up to 30 days post-deletion, solely for disaster recovery purposes. It is not accessed unless absolutely necessary |
What is the retention period for backups containing client data? | 30 days.
|
Are backups encrypted and access-controlled? | Yes, all backups are encrypted and access-controlled, following industry best practices. |
Have any third-party subprocessors had access to Client data? If so, what steps will be taken to ensure they also delete all Client data? | Yes, Neo4j and Elastic Cloud may have had access to data as part of standard operations. All data with these subprocessors is deleted upon request, in accordance with our data processing agreements. |