Security is an essential part of our business and is embedded in everything we do. Keeping your data safe is a top priority. Security and Compliance is achieved through a variety of processes and practices that we employ:
Application Security: Our application is regularly tested by staff for vulnerabilities, both with automated tools and by manual vulnerability testing. Any security threat we identify is fixed in a timely manner. Access to the application is monitored by Security staff.
Network Security: We use a variety of logging and detection systems to monitor our corporate infrastructure. Our Security team is on call 24 hours per day to respond to network and security alerts. Our network is also regularly tested by staff for vulnerabilities. Any threats are remediated and patched in a timely manner.
Physical Security: Our application is hosted in U.S. based data centers that are certified with the following Compliance certifications: ISO 27001, PCI/DSS, SOC 2, SOC 3. All access to these datacenters is tightly controlled and monitored 24 hours per day. All access to our corporate offices is restricted to authorized users only. Access to our facility is also monitored by security staff 24 hours per day.
Availability: We monitor uptime across every service in our infrastructure. We use this data to continually improve our availability and service quality. We also employ an Incident Response Plan to manage threats to availability. We routinely conduct Disaster Recovery planning to prepare for any potential issues that could arise.
Data Security & Integrity: Communication protocols are encrypted using TLS over public networks. Data at rest is encrypted using a minimum of AES 256.
Auditing & Compliance: We possess the SOC 2 Type I certification, which was conducted and attested to by a 3rd party auditing firm. We adhere to the U.S. – E.U. Privacy Shield & U.S. – Swiss Safe Harbor programs. We regularly conduct internal testing on a variety of critical application and network processes to look for vulnerabilities and find opportunities to improve our operations.
For a downloadable PDF of this security policy click here.
SOC 2 Type I: This is available for current and potential customers upon request, provided an NDA has been signed.
Reporting Suspected Vulnerabilities and Fraudulent Activity
If you are a security researcher and have identified a potential vulnerability, we would appreciate your help in disclosing it to us in a private manner so that we can keep our application and customers safe.
When developing and testing the vulnerability, please do not:
Disclose vulnerabilities publicly before they have been removed
DoS/DDoS or create service stability issues
Use the vulnerability to obtain PII or other sensitive information
Engage in social engineering, phishing or similar methods against BombBomb employees or customers
If you follow these rules, we won’t suspend or terminate your service access to BombBomb for discovering and reporting any vulnerabilities.
If you would like to report a vulnerability, or if you have a related security concern with your account, please email firstname.lastname@example.org.
If you suspect that another BombBomb account is being used for suspicious, fraudulent, spam or other related illegal activity, you can report it to the Abuse Team at email@example.com
So that we may more effectively respond to your report, please provide any supporting material (steps to reproduce, proof-of-concept code, videos/screenshots, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
The information you disclose to BombBomb will be maintained as confidential. The BombBomb Security and Abuse teams will review the submitted report and assign it to an analyst for review. Our Security team will be in contact once the vulnerability has been classified, and BombBomb will address any critical vulnerabilities in a timely manner.