This is an important question and, of course, the answer is YES.
From owning, storing, transferring, accessing, backing up, monitoring, to testing & reviewing our security procedures, every aspect is covered to industry best practice standards and is legally compliant. Your security questions answered:
IS MY DATA SECURED?
WHO OWNS OUR DATA?
WHERE AND HOW IS OUR DATA STORED?
All your data is stored using Amazon Web Services (AWS), one of the world’s leading cloud-based services. AWS is used by millions of businesses from AirBNB, to Capital One and Netflix.
The data is stored in Ireland allowing you to meet European regulations as no data is transferred outside the EU and is physically secured by trained and audited Security staff around the clock, 365 days a year (see Amazon whitepaper on security).
IS THE TRANSFER OF MY DATA SECURE?
Your data is transferred with high-grade TLS 1.2 (https) technology. This is industry standard technology, used by everybody from Google to the big banks.
We limit the duration of Bob sessions and will automatically log you out of bob after certain time, and we only use secure cookies (which don’t store any personal information locally).
WHO CAN ACCESS MY DATA?
We should look at 3 types of parties that can get access to your data:
You and your staff – your staff will have access to the data, using password and per data access credential that you will provide them. You can control who can view, edit, upload and download any information or document based on his/her role credentials.
Our staff – a small number of authorized Bob personnel as defined in our security policy can access to your data. Any bob team member doing so will be performing specific (audited) tasks on your request via our support desk. Access to all sensitive data requires two-factor authentication by these personnel.
In some cases, based Your consent, data will be provided to 3rd party service providers for specific business purposes (e.g. getting quote for services).
IS MY DATA BACKED UP?
Our data centers backup your data multiple times a day and your data is fully restorable within reasonable time in the unlikely event of a problem. However, we recommend that you will have a backup of your data to be update on periodic basis since we are not a backup service. We offer such ability through our scheduled reports.
HOW DO YOU MONITOR ACTIVITY IN BOB?
We keep an audit log of all activity on system data, and in each User Card you will be able to see a log of all changes that have ever been made to that card. Viewing log changes can be viewed based on the viewer credential rights.
HOW DO YOU TEST AND REVIEW YOUR SECURITY SO THAT IT IS ALWAYS UP TO SCRATCH?
We maintain Security Policy that define the security tasks that we should perform periodically. Our site and API undergoes independent, ongoing third-party penetration testing, security scans, threat detection and black box assessment.
SOME QUESTIONS YOUR IT DEPARTMENT MAY ASK
IF YOU’RE HOSTING MULTIPLE TENANTS WITHIN YOUR CLOUD INFRASTRUCTURE, WHAT SECURITY MEASURES PREVENT ONE CUSTOMER ACCESSING ANOTHER CUSTOMER’S DATA? IS OUR DATA SEGREGATED FROM OTHER CUSTOMERS?
Each piece of data stored is associated with a tenant ID. All access to data is enforced to use a tenant ID key. Data is logically divided. If the information is stored on disk then every client has its own folder, if data is stored on a database then access to the data is strictly enforced to use the tenant identifier so there is no leakage between clients.
WHAT OTHER SECURITY MEASURES DO YOU HAVE IN PLACE?
- Code Reviews – every change before uploaded to production undergoes a review and needs to be approved. Changes are reviewed with security in mind.
- Passwords – we require strong password to connect to the application. Passwords are never stored in clear text and are always hashed and salted.
- Versioning – We have an automated system that ensure and monitor that the available system for our users is up to date.
- High availability – our system was designed to enable high availability; in any case of failure we can update our customers on real time basis.
- Third party penetration tests – we have periodic third party security experts testing our system for known vulnerabilities.
Last Revised: 22/11/2016