Security & Trust

How do you manage security overall?

Tailor maintains a security program covering access control, environment isolation, logging and auditability, secure development practices, vulnerability management, and operational controls.

Are you SOC 2 certified?

Tailor is not yet SOC 2 certified. We have aligned our policies and controls to SOC 2 requirements and are actively preparing for a SOC 2 audit through Vanta.

Mature organizations including Notion have reviewed our policies and approved Tailor for use.

Do you have ISO 27001?

Tailor is not currently ISO 27001 certified. Our current security program is focused on SOC 2 readiness through Vanta, with supporting policies and controls available in our Trust Center.

What user data does Tailor collect?

Tailor is designed to minimize collection of directly identifiable user data.

At a high level, Tailor collects pseudonymous behavioral event data needed to run and analyze experiments, including impressions, clicks, scroll behavior, page interactions, and event timestamps.

By default, Tailor generates a random user ID for each visitor. If a customer chooses to pass Tailor their own user ID, it is one-way hashed on the client side before transmission, so we do not store the raw identifier.

For authenticated Tailor users, we process standard account and authentication data such as name, email, and login details.

What data is collected if enrichment is enabled?

Enrichment is optional and only activated on the customer's instruction.

If enabled, Tailor may process IP addresses transiently to derive probabilistic company-level and role-level business attributes, such as industry, company size, department, or seniority.

Tailor does not attempt to identify named individuals from enrichment data.

Can Tailor use first-party customer attributes for targeting?

Yes. Customers can pass first-party attributes into Tailor through a client-side or server-side integration, depending on the setup. These attributes can include signals such as logged-in status, plan type, account segment, lifecycle stage, or similar user and account fields.

The best approach depends on which signals are useful for targeting and analysis, and how those signals are already available in the customer's architecture.

What visitor signals can Tailor use for targeting?

Tailor can use signals such as query parameters, UTM parameters, geography, locale, device type, referrer, first-party customer attributes, and optional enrichment attributes when enabled by the customer.

Where is Tailor data stored?

Tailor's current production data is stored in the United States.

How does Tailor manage the security risk of client-side JavaScript?

Tailor's serving script is designed for controlled page personalization and experimentation. It supports scoped changes such as text, image, link, styling, selected HTML edits, and configured callback logic for analytics event firing.

The relevant controls include:

• Domain validation
• Organization scoping
• Server-side payload validation
• Access control
• Auditability
• Rollout controls
• Operational safeguards

Does anything go live automatically?

No. Variants start in draft state. Editing a variant does not affect live traffic until a team member explicitly activates it with a chosen traffic percentage.

Teams can preview changes before ramping, start with a small traffic percentage, and deramp to 0% immediately without a deployment or code change.

Are changes audited?

Yes. Experiment changes, including creation, deletion, ramping, and deramping, are logged with timestamps and user attribution in the Tailor dashboard.

Do you support SSO?

Tailor currently supports Google OAuth authentication.

For organizations using Google Workspace, this provides centrally managed access control, since account lifecycle and MFA policies are managed through Google Workspace. Deprovisioning a user in Google Workspace removes their ability to access Tailor.

Support for additional enterprise IdPs is on our roadmap.

Can customers self-host the Tailor JavaScript?

No. Tailor does not currently support customer self-hosting of the serving script.

Our hosted approach ensures live changes can be reflected through our managed serving path, keeps the script compatible with experiment payloads and event tracking, avoids stale-script issues, and lets us ship fixes for browser, SPA, and DOM edge cases without version drift.

What controls help customers manage rollout risk?

Customers can:

• Preview changes before ramping traffic
• Start with gradual rollout percentages
• Deramp any active experiment to 0% immediately
• Limit which pages the Tailor tag is installed on
• Use audit trails for experiment changes and ramping actions
• Optionally restrict allowed script and network destinations via CSP headers

What release and change-management controls exist?

Platform and serving-script changes go through automated test gates, code review, environment isolation, staged promotion from staging to production, and rollback capability.

The serving script does not silently change behavior outside of either a customer experiment change or a Tailor product deployment.

Do you have a bug bounty program?

Tailor does not currently run a formal public bug bounty program. We do maintain a vulnerability management process that includes regular vulnerability scanning of public-facing systems, automated security and test gates in CI/CD, responsible intake of reported issues, and remediation timelines based on severity.

To report a vulnerability, see our Security Disclosure page.

Can Tailor ingest downstream outcome data?

Yes. Tailor can incorporate downstream events from a customer's analytics stack, such as plan upgrades, activation milestones, cancellations, MQLs, opportunities, or revenue events, so those can be used as experiment goals and for deeper analysis.

Tailor already supports this pattern through integrations such as Amplitude. For Snowflake or other warehouse-based setups, we can discuss a custom API-based integration depending on the customer's requirements.