Enterprise security and privacy
Your code’s privacy is our highest priority, and we want to reassure you that your code stays private when using our products.
Tabnine provides a secure, reliable, and resilient platform, which has been designed from the ground up based on industry best practices.
This article reviews the network and hardware infrastructure, software, and information security that Tabnine includes as part of this platform.
The Tabnine SaaS Platform utilizes Amazon Web Services (“AWS”) and Google Cloud Platform (“GCP”) to host our cloud-based capabilities. AWS’s main data center is located in North Virginia on the East Coast, GCP’s main data center is located in Council Bluffs, Iowa, North America, and Heroku’s main data center is located in Virginia, United States.
Data centers security and compliance
Amazon Web Services (“AWS”) and Google Cloud Platform (“GCP”) design and manage their infrastructure in alignment with the following regulations, standards, and best practices: https://aws.amazon.com/security/ https://cloud.google.com/security AWS compliance, GCP compliance: ISO 27001, 27017, 27018, SOC1/SOC2/SOC3, PCI DSS Level 1, HIPAA, FedRAMP (and more)
Data centers architectural physical security
Access control – Physical access is limited only to approved employees and contractors with a legitimate business purpose. Visitors are required to present identification cards and are signed in and escorted by authorized staff. Privileges for employees are revoked immediately when there is no longer a business need for them. Cardholder access to data centers is reviewed on a quarterly basis.
Surveillance – Physical access is controlled both at the perimeter and at building entrance points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
Two-Factor Authentication – Authorized staff must pass two-factor authentication twice to access data center floors.
Redundancy – The data centers are designed to anticipate and tolerate failure while maintaining service levels with core applications deployed to an N+1 standard.
Fire detection and suppression – Automatic fire detection and suppression equipment have been installed to reduce risk.
Redundant power – The data center electrical power systems are designed to be fully redundant and maintainable without impact on operations, 24 hours a day, and Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure. Data centers use generators to provide backup power for the entire facility.
Climate and temperature controls – Maintain a constant operating temperature and humidity level for all hardware.
Software development lifecycle – Software development and change management at Tabnine are performed in a manner to help ensure applications are properly designed, tested, approved, and aligned to Tabnine’s customers’ business objectives.
Changes are discussed, evaluated, and approved by relevant managers from Product, Development, and DevOps. Changes are documented and approved within an SDLC application. Personnel responsibilities for the design, acquisition, implementation, configuration, modification, and management of systems are assigned. In addition, changes performed to the application are communicated to Tabnine’s customers through release notes.
Data encryption – all traffic between the customer client and Tabnine’s Server is encrypted using HTTPS TLS 1.2. Stored data is encrypted on a disk using a 256-bit AES cipher.
Threat and mitigation analysis – Tabnine will typically perform a Threat and Mitigation analysis with security consultants for new products and major changes.
User identity – For cloud solutions, Tabnine uses Google Cloud Identity https://cloud.google.com/identity) to manage user identity, supporting customers using either strong user/password authentication or using provider identity including GitHub, Google, or Microsoft accounts using OAuth2. In self-hosted solution, a built-in user/password authentication is available, as well as support for SAML2 SSO integration.
Authentication - All requests from client to server are protected by JWT with an expiration period of 1 hour.
User permissions - Tabnine provides two levels of user permissions. A user can be assigned to either ‘member’ or ‘admin’ on the Members page in Tabnine’s web admin application. Admin permission allows control over team membership, payments, and code repository integrations.
Self-service user management – Tabnine provides a self-service user management system. The customer’s admins have access to a user management console. There, the team admin can manage users for the account.
Default password policy – A user password must be at least six characters long and contain at least one letter and one digit character. Upon password loss, the user can unlock the account by going through the ‘forgot password’ procedure which allows them to choose a new password after being authenticated through email.
Your code always remains private.
Tabnine clients send code context to the Tabnine Server for getting code suggestions from the AI models. Tabnine NEVER stores or shares any of your code. Any action that shares your code with Tabnine servers for the purpose of training team models requires explicit opt-in. Tabnine doesn't retain any user code beyond the immediate time frame required for model inference. Private code models created by Tabnine Enterprise are only accessible to your team members.
Data plane in self-hosted / air-gapped deployment
The Tabnine cluster collects operational metrics and logs to ensure system health and quality of service.
In an air-gapped deployment, metrics can be sent to a Prometheus server and logs can be sent to your log aggregator. In a self-hosted deployment, the Tabnine cluster sends operational metrics and logs to Tabnine’s own servers to allow improved support when required. No code or PII data is ever sent to Tabnine’s servers.
Tabnine cluster The Tabnine cluster sends operational metrics and logs (every 1 second) to Tabnine’s own servers. Metrics and logs data are retained for a week. This includes:
- GPU & CPU utilization
- GPU & CPU memory
- Server throughput
- Server latency
Tabnine client The Tabnine client sends telemetry to Tabnine’s self-hosted server (which is then streamed to Tabnine’s own servers) on various user interactions. This includes:
- Plugin & binary configurations
- User machine details, including CPU type, available processors & memory
- One way hashed, non-identifiable data, including user email, hostname & IP
- IDE details, including: type & version
- Statistical data: Aggregated number of suggestions/completions per programming language
Tabnine's public code-trained AI model
Tabnine’s generative AI only uses open-source code with permissive licenses for our Public Code trained AI model (MIT, Apache 2.0, BSD-2-Clause, BSD-3-Clause). Whether you’re using Tabnine’s Pro plan or our Basic plan, your code, and AI data are NEVER used to train any models other than private code models.
Tabnine is SOC2 Type II compliant for security, availability, and confidentiality.
Last modified 1mo ago