Bedrock Data manages a secure and scalable technology stack that is continuously monitored and patched to stay ahead of digital threats. Below is a summary of our policies and practices as it relates to compliance, privacy, and security.
Traffic between customers and Bedrock Data is protected with highly secure in-transit encryption using only the most secure TLS protocols and ciphers, along with 2048-bit encryption keys.
Bedrock Data’s software services are automatically monitored and checked against a constantly updated database of over 20,000 vulnerabilities.
Bedrock Data uses third-party Distributed Denial of Service (DDoS) protection software to ensure DDoS attacks are easily detected and thwarted before they cause a problem.
Our application codebase is continuously and automatically tested to ensure adherence to operational targets, including data integrity and security.
Application, audit, and system logs are captured and stored permanently, allowing for detailed forensic research.
Customer data is encrypted in transit and at rest to ensure end-to-end protection with the latest standards and protocols.
Data Center Security and Certifications
Bedrock Data’s software is powered by world leaders in data center management and security. Physical access is protected by 24x7 onsite staff, as well as state-of-the-art biometric scanning and other electronic security controls.
Our infrastructure partners maintain SOC Type II and ISO 27001 certifications.
Availability & Continuity
Bedrock Data has an “availability first” approach. All infrastructure and application components are redundant, with active failover mechanisms. Critical operational data is backed up automatically, and backups are regularly tested to ensure integrity and recoverability.
Data in transit is encrypted with the most secure TLS versions and ciphers. We employ 2048-bit encryption at a minimum and rotate keys regularly. When connecting to third party services on behalf of customers (e.g., to synchronize data), we ensure all API endpoints are protected by a valid SSL certificate.
Data at rest is encrypted at multiple levels, including on the physical disk and by the logical storage subsystem using AES-128 and AES-256. Keys are randomly generated and encrypted asymmetrically, stored and protected by a proprietary key management service provided by a global leader in infrastructure security.
Bedrock Data uses an industry-leading third party to process credit card transactions for customers who wish to pay by credit card. Bedrock Data does not store or possess any cardholder data relative to these transactions; this data is transmitted directly and securely to our upstream payment processor.
Bedrock Data attests to PCI-DSS SAQ-A compliance, and has been certified by Trustwave.
Trustwave PCI Compliance Badge - Click below to verify:
Bedrock Data employs active vulnerability detection, which audits every action taken on our servers as well as all data ingress and egress. Suspicious activity is automatically flagged and sent to our security operations team for investigation. Our team regularly reviews audit logs, monitoring data access patterns by internal and external actors.
Automatic virus and malware protection with top-tier, self-updating tools ensures that our network is kept free of malware, spyware, worms, and other common Internet vulnerabilities.
Bedrock Data utilizes enterprise-grade security scanning tools which automatically check against a continuously updated database of over 20,000 known vulnerabilities. This allows us to stay ahead of the curve and keep our infrastructure strong, even against new attack vectors as they are discovered.
All Bedrock Data staff members receive security training and a secured computer to ensure consistent protection of shared infrastructure, such as our corporate network. Developers receive additional security training, and application code is regularly reviewed to ensure adherence. Technical operations staff receive the highest level of security training; these are the only team members who are permitted to access production systems and, by extension, customer data.
Bedrock Data maintains a detailed incident response plan to ensure that any security events and incidents are properly diagnosed, categorized, and managed. Technical staff are regularly trained and tested in incident response procedures. Bedrock adheres to industry standard incident response practices, including involvement of local law enforcement where appropriate.
The Bedrock Data Security Committee reviews all security-related policies, procedures, and training programs to ensure adherence in the execution phase, and to ensure alignment with the latest industry standards and best practices.
Bedrock Data complies with the U.S -E.U. and U.S.-Swiss Safe Harbor frameworks. To view the Bedrock Data certification on the Safe Harbor list or to learn more about the Safe Harbor programs, please visit http://2016.export.gov/safeharbor/.
On July 12 2016, U.S. Secretary of Commerce Penny Pritzker joined European Union Commissioner Věra Jourová to announce the approval of the U.S.-E.U.Privacy Shield Framework, which will replace the U.S.-E.U. Safe Harbor Framework.
Bedrock Data will complete its Privacy Shield certification by September 30, 2016.