We’re committed to having experienced engineers behind our technology and product. We make sure that the team that builds, maintains, operates and oversees the system has the right qualification and follows our standards.
We are very strict about hiring the right people. In addition, every employee and contractor is subject to our background checks.
Once we integrate new team members, they must learn Bambú's security policies and go through training sessions about security awareness, covering from how to write safe code to manage data, security and customer privacy.
Bambú's servers, databases and artifacts are securely hosted on Amazon AWS in Europe.
AWS certifies their physical security with comprehensive compliance and controls, including allowing physical access to personnel with a validated business need, logged and monitored access, electronic surveillance and professional security personnel at all data center entry points. AWS is accredited against multiple security industry certifications including ISO27001. More details are available from the AWS website.
Each and every connection made to Bambú is end-to-end encrypted over HTTPS, using TLS 1.2.
Bambú forces HTTPS for all services, including our public website. Our customers data is stored in containers encrypted with AES256 (a 256-bit Advanced Encryption Standard).
These are some of our key practices in security.
Our team members, employees and contractors have access to our system with our role-based permission system. Each user has unique credentials (username and password). We deny by default and we add privileges only to those that require access.
Our staff uses multi-factor authentication to access our systems.
We put a strong focus on our change management practices. Source code is reviewed by peers and managers, automated alerts are sent when code is pushed to any branch in our repositories. Our infrastructure as code lets us track any change to our production systems with total accountability and production releases require pull requests and sign-off by technical managers.
We use Continuous Integration tools to run automated tests and deploy to our pre-production environments. In addition to our automated tests, our team runs manual additional tests to make sure that everything is working properly. Once our code is approved, a senior member of our team releases it to production through automated systems that support rolling deploys and rollbacks.
We monitor every release and keep a log of our releases, scope and risks.
Bambú's systems are built on top of Amazon Web Services (AWS).
We take advantage of AWS security services for network and applications, those services provide us with vulnerability scanning, monitoring, alerting, configuration and intrusion detection. We log application usage and exceptions, in addition we track application runtime errors and alerts.
We use Firewalls and we have enabled mechanisms to protect our platform for activity like DDoS attacks, malicious bots and other nefarious intrusions.
RockaLabs LLC uses AWS and other tools to scan for network vulnerabilities. We check daily against published security notices and patches required. We use release planning and change management.
Any security issue of high priority for us. In compliance with GDPR and regulations, we will inform all customers affected by an incident as soon as possible, in a period no longer than 72 hours.
Our automatic backups are part of our practices and built-in into our different services. Our data is backed up and stored encrypted. Our runtime servers have redundancy so that if a server fails, another can take over the work automatically and instantaneously. We a have disaster recovery program.
We work with third-party providers that comply with our security standards and they are evaluated regularly. Whenever we consider working with a vendor, we make sure that their security is the same or better than our own.
Any Bambú account and user is the owner of its data. They have the control to secure, change the secure passwords and delete the account. No customer or user keys or passwords are stored in the clear.
Our software development process requires developers to have sandboxed test environments that use their own test data. It's never possible to use production keys or data for local tests. At RockaLabs LLC we take code reviews very seriously in order to check changes and guarantee our application security. Every feature and release requires pull requests that are reviewed and approved by senior staff.
We can share more information about our practices and policies under NDA.