BombBomb Security Features
Security and Privacy is an essential part of our business and is embedded in everything we do. Keeping your data safe is a top priority. Security and Compliance is achieved through a variety of processes and practices that we employ:
- Application Security: Our web application is developed and tested using security best practices. The web app is tested monthly by staff for vulnerabilities, both with automated tools and by manual vulnerability testing. Any security threat we identify is patched or remediated in a timely manner. Access to the application is monitored by Security staff.
- Network Security: We use a variety of logging and detection systems to monitor our corporate infrastructure. Our Security team is on call 24 hours per day to respond to network and security alerts. Our network is also regularly tested by staff for vulnerabilities. Any threats are remediated and patched in a timely manner.
- Physical Security: Our application is hosted in U.S. based data centers that are certified with the following Compliance certifications: ISO 27001, PCI/DSS, SOC 2. All access to these datacenters is tightly controlled and monitored 24 hours per day. All access to our corporate offices is restricted to authorized users only. Access to our facility is also monitored by security staff 24 hours per day.
- Encryption: We encrypt all data at rest and in transit over public networks using industry leading encryption.
- Availability: We monitor uptime across every service in our infrastructure. We use this data to continually improve our availability and service quality. We also employ an Incident Response team to manage threats to availability. We routinely conduct Disaster Recovery & Incident Response planning to prepare for any potential issues that could arise.
- Data Security & Integrity: Communication protocols are encrypted using TLS over public networks. Data at rest is encrypted using a minimum of AES 256.
- Auditing & Compliance: We possess the SOC 2 Type 2 certification, which was conducted and attested to by a 3rd party auditing firm. We adhere to the U.S. – E.U. Privacy Shield framework. We regularly conduct internal testing on a variety of critical application and network processes to look for vulnerabilities and find opportunities to improve our operations.
- SOC 2 Type 2: Available for current and potential customers upon request. For more information please contact your Account Executive.
- E.U. – U.S. and Swiss-U.S. Privacy Shield: BombBomb complies with the EU-US Privacy Shield framework. For more information about our Privacy Shield certification, please visit: Privacy Shield. For more information on our privacy practices: https://bombbomb.com/privacy/, or email us at email@example.com
Reporting Suspected Vulnerabilities and Fraudulent Activity
If you are a security researcher and have identified a potential vulnerability, we would appreciate your help in disclosing it to us in a private manner so that we can keep our application and customers safe. When developing and testing the vulnerability, please do not:
- Disclose vulnerabilities publicly before they have been removed
- DoS/DDoS or create service stability issues
- Use the vulnerability to obtain PII or other sensitive information
- Engage in social engineering, phishing or similar methods against BombBomb employees or customers
If you follow these rules, we won’t suspend or terminate your service access to BombBomb for discovering and reporting any vulnerabilities.
- If you would like to report a vulnerability, or if you have a related security concern with your account, please email firstname.lastname@example.org.
- If you suspect that another BombBomb account is being used for suspicious, fraudulent, spam or other related illegal activity, you can report it to the Abuse Team at email@example.com
So that we may more effectively respond to your report, please provide any supporting material (steps to reproduce, proof-of-concept code, videos/screenshots, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
The information you disclose to BombBomb will be maintained as confidential. The BombBomb Security and Abuse teams will review the submitted report and assign it to an analyst for review. Our Security team will be in contact once the vulnerability has been classified, and BombBomb will address any critical vulnerabilities in a timely manner.