From owning, storing, transferring, accessing, backing up, monitoring, to testing & reviewing our security procedures, every aspect is covered to meet industry best practice standards and is legally compliant. Your security questions answered:
All your data is stored using Amazon Web Services (AWS), one of the world’s leading cloud-based services. AWS is used by millions of businesses from Airbnb, to Capital One and Netflix.
The data is stored in Ireland and Germany, allowing you to meet European regulations as no data is transferred outside the EU and is physically secured by trained and audited Security staff around the clock, 365 days a year (see Amazon whitepaper on security).
Sensitive data is encrypted, using an individual per-customer AES 256 based encryption key.
Your data is transferred with high-grade TLS 1.2 (https) technology. This is industry standard technology, used by everybody from Google to the big banks.
We limit the duration of Bob sessions and will automatically log you out of bob after a certain time, and we only use secure cookies (which don’t store any personal information locally).
We should look at 3 types of parties that can get access to your data:
You and your staff – your staff will have access to the data, using a password and per data access credentials that you will provide them. You can control who can views, edits, uploads and downloads any information or document based on his/her role credentials.
Our staff – a small number of periodically trained authorized Bob personnel as defined in our security policy can gain access to your data. Any bob team member doing so will be performing specific (audited) tasks on your request via our support desk. Access to all sensitive data requires two-factor authentication by these personnel.
In some cases, based on your consent, data will be provided, per your request, to 3rd party service providers for specific business purposes (e.g. getting a quote for services).
Our data centers back up your data at least once a day and your data is fully restorable within a reasonable time in the unlikely event of a problem. However, we recommend that you have a backup of your data that is updated on a periodic basis since we are not a backup service. We offer such ability through our scheduled reports.
We keep an audit log of all activity on system data, and in each User Card you will be able to see a log of all changes that have ever been made to that card. Viewing log changes can be viewed based on the viewer credential rights.
Hi Bob is ISO 27001:2013, ISO 27018:2014 and SOC2 Type 2 certified, and intends to maintain these certifications, as well as follow other security and privacy certifications according to business needs and legal requirements. As part of those certification requirements, we maintain Security Policy that defines the security tasks that we should perform periodically. Our site and API undergoes independent, ongoing third-party penetration testing, security scans, threat detection and black box assessment.
IF YOU’RE HOSTING MULTIPLE TENANTS WITHIN YOUR CLOUD INFRASTRUCTURE, WHAT SECURITY MEASURES PREVENT ONE CUSTOMER ACCESSING ANOTHER CUSTOMER’S DATA? IS OUR DATA SEGREGATED FROM OTHER CUSTOMERS?
Each piece of data stored is associated with a tenant ID. All access to data is enforced to use a tenant ID key. Data is logically divided. If the information is stored on disk then every client has its own folder, if data is stored on a database then access to the data is strictly enforced to use the tenant identifier so there is no leakage between clients.Sensitive data is encrypted using a unique encryption key per tenant.