This is an important question and, of course, the answer is YES.
From owning, storing, transferring, accessing, backing up, monitoring, to testing & reviewing our security procedures, every aspect is covered to meet industry best practice standards and is legally compliant. Your security questions answered:
IS MY DATA SECURED?
WHO OWNS OUR DATA?
WHERE AND HOW IS OUR DATA STORED?
All your data is stored using Amazon Web Services (AWS), one of the world’s leading cloud-based services. AWS is used by millions of businesses from Airbnb, to Capital One and Netflix.
The data is stored in Ireland and Germany, allowing you to meet European regulations as no data is transferred outside the EU and is physically secured by trained and audited Security staff around the clock, 365 days a year (see Amazon whitepaper on security).
Sensitive data is encrypted, using an individual per-customer AES 256 based encryption key.
IS THE TRANSFER OF MY DATA SECURE?
Your data is transferred with high-grade TLS 1.2 (https) technology. This is industry standard technology, used by everybody from Google to the big banks.
We limit the duration of Bob sessions and will automatically log you out of bob after a certain time, and we only use secure cookies (which don’t store any personal information locally).
WHO CAN ACCESS MY DATA?
We should look at 3 types of parties that can get access to your data:
You and your staff – your staff will have access to the data, using a password and per data access credentials that you will provide them. You can control who can views, edits, uploads and downloads any information or document based on his/her role credentials.
Our staff – a small number of periodically trained authorized Bob personnel as defined in our security policy can gain access to your data. Any bob team member doing so will be performing specific (audited) tasks on your request via our support desk. Access to all sensitive data requires two-factor authentication by these personnel.
In some cases, based on your consent, data will be provided, per your request, to 3rd party service providers for specific business purposes (e.g. getting a quote for services).
IS MY DATA BACKED UP?
Our data centers back up your data at least once a day and your data is fully restorable within a reasonable time in the unlikely event of a problem. However, we recommend that you have a backup of your data that is updated on a periodic basis since we are not a backup service. We offer such ability through our scheduled reports.
HOW DO YOU MONITOR ACTIVITY IN BOB?
We keep an audit log of all activity on system data, and in each User Card you will be able to see a log of all changes that have ever been made to that card. Viewing log changes can be viewed based on the viewer credential rights.
HOW DO YOU TEST AND REVIEW YOUR SECURITY SO THAT IT IS ALWAYS UP TO SCRATCH?
Hi Bob is ISO 27001:2013, ISO 27018:2014 and SOC2 Type 2 certified, and intends to maintain these certifications, as well as follow other security and privacy certifications according to business needs and legal requirements. As part of those certification requirements, we maintain Security Policy that defines the security tasks that we should perform periodically. Our site and API undergoes independent, ongoing third-party penetration testing, security scans, threat detection and black box assessment.
SOME QUESTIONS YOUR IT DEPARTMENT MAY ASK
IF YOU’RE HOSTING MULTIPLE TENANTS WITHIN YOUR CLOUD INFRASTRUCTURE, WHAT SECURITY MEASURES PREVENT ONE CUSTOMER ACCESSING ANOTHER CUSTOMER’S DATA? IS OUR DATA SEGREGATED FROM OTHER CUSTOMERS?
Each piece of data stored is associated with a tenant ID. All access to data is enforced to use a tenant ID key. Data is logically divided. If the information is stored on disk then every client has its own folder, if data is stored on a database then access to the data is strictly enforced to use the tenant identifier so there is no leakage between clients.Sensitive data is encrypted using a unique encryption key per tenant.
WHAT OTHER SECURITY MEASURES DO YOU HAVE IN PLACE?
- Information security certifications – ISO 27001:2018 and SOC 2 Type 2.
- Data Privacy certifications – ISO 27018:2014.
- Code Reviews – every change before uploaded to production undergoes a review and needs to be approved. Changes are reviewed with security in mind.
- Passwords – we require a strong password to connect to the application. Passwords are never stored in clear text and are always hashed and salted.
- Versioning – We have an automated system that ensures that the available system for our users is up to date.
- High availability – our system was designed to enable high availability; in any case of failure we can update our customers on real-time basis.
- Third party penetration tests – we have periodic third-party security experts testing our system for known vulnerabilities.