TribeLocal Security

Trusted Infrastructure

TribeLocal is a unified software for marketing agencies. Our application allows agencies to focus on their marketing strategies while TribeLocal focuses on Local SEO & Client Management, Site Analysis, Lead generation, SEO Audits and many more. This Page gives an overview of application performance and how security is designed into the TribeLocal software. TribeLocal host it services on Heroku which is a network isolated, dedicated runtime environments for enhanced privacy, power, and performance. This infrastructure provides secure integration of clients accounts, secure storage of data with end-user privacy safeguards, secure encryption of passwords and two-factor authentication, secure and private communication with customers, and safe operation by administrators.

We will describe the security of this application in progressive layers starting from the physical and network security, continuing on to how the hardware and software that underlie the infrastructure are secured, and finally, describing the technical constraints and processes in place to support the performance of the application.

Commitment to Privacy

As Digital Marketing Agencies rely more heavily on the data, they need to have confidence in the capabilities, reliability, and security of this software. TribeLocal applies security best practices and manages platform security so customers can focus on their marketing strategies.

TribeLocal invests heavily in securing its infrastructure with expert engineers dedicated to security and privacy distributed across all of TribeLocal.

TribeLocal works hard to earn and keep the trust of their customers, and so, we want you to be aware of our commitments in each area.


TribeLocal’s computing platform assumes ongoing hardware failure, and it uses robust software failover to withstand disruption. All TribeLocal systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across Heroku dynos(third party) so that, in the case of a machine failure, data will still be accessible through another system. We also replicate data to secondary data centers in different seismic and geographic zones to ensure protection from data center failures.

TribeLocal’s services are designed to scale to hundreds of thousands of users. We run multiple different performance tests, including load testing our applications under high load over a long period, to observe effects on factors, such as memory use and response time. TribeLocal also performs stress testing to examine system performance in unusual situations, including system functional testing while under unusually heavy loads, heavy repetition of certain actions or inputs, or input of large numerical values and large, complex queries to a database system.


We do everything in our power to protect agencies from attempts to compromise their data. We vigorously resist any unlawful attempt to access or block access to our customers’ data, whether it be from a hacker or any malicious software. Whether it is an integration or client’s contact, TribeLocal does not own that data.

That means two key things:

  • We use your information for the purposes specified in the policy, such as delivering you the service for which you pay.
  • You have control over your data. We provide you with options to delete and export your data so that you can take your data with you at any time.

TribeLocal may only access data in your account in strict compliance with our Privacy Policy and customer agreement. For purposes of providing technical support, an administrator from your domain may choose to grant the TribeLocal Support team permission to access accounts in order to resolve a specified issue.

Application Security


TribeLocal servers can be accessed only via HTTPS using Comodo SSL Certificate. We use industry-standard encryption for data traversing to and from the application servers.


All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.


All POST requests are checked for CSRF token before processing the request.


TribeLocal interacts with a database through ActiveRecord. The default and convenient Object Relational Mapping (ORM) layer which provides abstraction, safety and allow developers to avoid manually building SQL queries.

TribeLocal also uses Brakeman which is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.


TribeLocal does not store any sensitive details on it’s network. We store sensitive details in our database in an encrypted form.

Physical and Network Security

We use Heroku, Amazon’s AWS platform and infrastructure for TribeLocal. Here are more details about security setup of AWS, Heroku.


We use Cloudflare for increasing internet pressures. Cloudflare is a web performance and security company. Cloudflare’s WAF, DDoS protection, and SSL defend website owners and their visitors from all types of online threats.


Cloudflare’s enterprise-grade web application firewall (WAF) detects and block common application layer vulnerabilities at the network edge, utilizing the OWASP Top 10, application-specific and custom rulesets. It has two-factor authentication so that the accounts get an added layer of login security, ultimately adding another layer of security to our website.


Cloudflare IP Firewall avoids the most common security attacks which run over a public network, such as the Internet.


Rate Limiting protects critical resources by providing fine-grained control to block or qualify visitors with suspicious request rates.


DDos Mitigation resists the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the applications, websites, and APIs from malicious traffic targeting network and application layers and maintains the performance and availability.


Ensuring the availability of TribeLocal application is just as important as protecting them from malicious requests. We have a dedicated team working 24/7 for application monitoring. We use both internal and multiple external monitoring services to monitor TribeLocal. Our monitoring system will alert our team through emails and phone calls if there are any errors or abnormality in the request pattern. We take utmost care in picking the right external tools and here are the four tools which are woven together to monitor TribeLocal application 24 hours.


TribeLocal uses Scout which is a Rails monitoring app for serving: the performance metrics, a layer of analysis, and a generous helping of workflow improvements. These features reduce the stress on us in identifying the root cause of Rails app performance woes.


TribeLocal uses Rollbar which is a real-time, full-stack error monitoring and debugging tool for developers used to monitor the impact of our code changes and measures the performance, track errors and analyze our application. It integrates with GitHub to link stack traces to the underlying source code, correlate exceptions to code changes, and create GitHub issues allowing us to manage errors in the existing workflow.


TribeLocal uses Instrumental for sending metrics and building graphs to monitoring servers and services. It serves us,
1. System & Service Monitoring
2.  Application Monitoring


TribeLocal uses Librato for monitoring and understanding the metrics that impact the software at all levels of the stack.

Vulnerability scanning and audits

Third party security testing of the Heroku application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed by the assessors, risk ranked and assigned to the responsible team.

TribeLocal undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of the application, architecture, and implementation. Our third-party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. TribeLocal works closely with external security assessors to review the security of the platform and applications and applies the best practices. We also hold open bug bounty programs which allows the security researchers, report a vulnerability on TribeLocal application as long as the vulnerability is discovered without using intrusive testing techniques.


TribeLocal is committed to complying with the strictest data protection frameworks and laws. The EU GDPR regulations strengthen the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across the world, regardless of where that data is processed.

You can count on the fact that TribeLocal is committed to GDPR compliance. We are also committed to helping our customers with their GDPR compliance journey by providing them with the robust privacy and security protections we have built into our product over the years. As of writing, this document TribeLocal is working aggressively to ensure its GDPR compliance. TribeLocal also wishes to comply with EU-US Privacy Shield and is working towards ensuring compliance. The document will be updated accordingly for these line items. 


TribeLocal offers a 99.99% app uptime and 99.99% API uptime. Furthermore, TribeLocal hardly has downtime or maintenance windows. To minimize service interruption due to hardware failures, natural disasters or other incidents, TribeLocal, takes the data backup and save in a different server in a different and highly redundant availability zone. In case our server downs, we spin the server in an hour.

Indemnity Clauses

TribeLocal ensures that its platform and services do not inadvertently cause its customers to breach intellectual property rights and other laws. Our indemnification rules are governed by our Terms of Service and Privacy Policy  which can be read on the given links.

Employee Screening and Policies

As a condition of employment, all TribeLocal employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.


We are working continuously to make our system secure. If you find any security issues, please submit it to [email protected] We take security as our highest priority. We will make sure the issue is fixed and updated at the earliest.