BIMobject Cloud - Current Security Statement ("Security Statement")
User Security
Authentication: User data on our database is logically segregated by account-based access rules. BIMobject issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
Single Sign-On: For our Team Collaboration accounts, BIMobject supports SAML 2.0 integration, which allows you to control access to BIMobject across your organization and define authentication policies for increased security.
Data Encryption: Certain sensitive user data, such as account passwords, are stored in encrypted format.
Data Portability: BIMobject enables you to export your data from our system in a variety of formats so that you can back it up or use it with other applications.
Data Residency: All BIMobject user data and the BIMobject platform, is stored on servers located within the European Union (EU).
Physical Security
All BIMobject information systems and infrastructure are hosted in world-class data centres. These data centres include all the necessary physical security controls you would expect in a data centre in 2019, (e.g., 24×7 monitoring, cameras, visitor logs, entry requirements). In addition, these data centres are SOC 1, 2 and 3 accredited. For more information, visit here
Availability
Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
Power: Servers have redundant internal and external power supplies. Data centres have backup power supplies and are able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.
Uptime: Continuous uptime monitoring, with immediate escalation to BIMobject staff for any downtime.
Failover: Our database is replicated in real-time and can failover in less than an hour.
Backup Frequency: Backups occur daily at multiple geographically disparate sites.
Network Security
-
Testing: System functionality and design changes are verified in an isolated test "sandbox" environment and subject to functional and security testing prior to deployment to active production systems.
-
Firewalls: Firewalls restrict access to all ports except 80 (http) and 443 (https).
-
Access Control: Secure VPN, 2FA (two-factor authentication), and role-based access is enforced for systems management by authorized engineering staff.
-
Encryption in Transit: By default, our survey collectors have Transport Layer Security (TLS) enabled to encrypt respondent traffic. All other communications with the bimobject.com website are sent over TLS connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.
Vulnerability Management
-
Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.
-
Third Party Scans: Our environments are continuously scanned using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.
-
Penetration Testing: External organizations perform penetration tests at least annually.
-
Bug Bounty: We take the security of our platforms very seriously.
Organizational & Administrative Security
-
Information Security Policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.
-
Training: We provide security and technology use training for employees.
-
Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality and security obligations if they deal with any user data.
-
Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
-
Audit Logging: We maintain and monitor audit logs on our services and systems.
-
We have educated our staff about the requirements and impact of the General Data Protection Regulation (the "GDPR").
Software Development Practices
-
Stack: We code in .net and run on SQL Server on Windows.
-
Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines which align with the OWASP Top 10.
-
Deployment: We deploy code dozens of times during the week, giving us the ability to react quickly in the event a bug or vulnerability is discovered within our code.
Compliance and Certifications
-
HIPAA: BIMobject offers enhanced security features that support HIPAA requirements.
Handling of Security Breaches
Despite our best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. Though we take all measures we see as necessary, we cannot guarantee absolute security. In the event of a security breach, we will where appropriate, notify our affected users and, where required, the data protection authority.
We have a well-developed internal response procedure which aims to minimise negative impact and respond in the appropriate way. Our breach notification procedures are consistent with our obligations under the data protection laws applicable to us including the GDPR and in particular Article 33 and Article 34 thereof.
Response actions can vary depending on the nature of the compromise but may include providing email notices or posting a notice on our website if a breach occurs.
Changes to this Security Statement
We reserve the right to update or make changes to this Security Statement at any time.