Trust Center

Privacy

BlueConic has a TRUSTe Verified Privacy Seal and a TRUSTe Verified International Privacy Seal demonstrating that our privacy policies and practices meet the TRUSTe Verified Privacy and TRUSTe Verified International Privacy Assessment Criteria.

Verified International Privacy

Verified Privacy

Hosting Environment and Physical Security

BlueConic is hosted on public cloud infrastructure from Amazon Web Services (AWS). Amazon maintain high standards of security for their data centers and its services. Further information about AWS security can be found here: aws.amazon.com/security.

Network Security

The BlueConic user interface is only accessible over HTTPS. Traffic over HTTPS is encrypted and protected from interception by unauthorized third parties. BlueConic follows current best practices for security, including the use of industry standard TLS 1.2 and 1.3 encryption algorithms with a key length of at least 128 bits.

BlueConic also uses secure protocols for communication with third-party systems: usually HTTPS, but other protocols such as SFTP are also supported.

BlueConic uses a multi-tier architecture that segregates internal application systems from the public Internet. Public traffic to the platform passes through a load balancer and is then routed to interior systems running on private subnets. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules.

Authentication

Users log in to BlueConic using a combination of username, password, and multi-factor authentication. Password length, complexity, and expiration standards are enforced. For passwords, a secure and salted hash of the password is stored.

BlueConic supports integration with third-party SAML-compliant Single Sign-On (SSO) systems. This allows an enterprise to manage access to BlueConic as well as other enterprise applications and apply custom authentication schemes and policies.

User-supplied credentials for connection to remote systems are encrypted using a 256-bit key, and automatic session logout is supported after a period of time.

Application Development and Testing

BlueConic has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as unit and integration testing, are part of the process.

Development staff receive regular training on Secure Coding Practices, including avoidance of the OWASP Top Ten Web application vulnerabilities.

Vulnerability and Penetration Testing

Security tooling is integrated in the software development lifecycle for Static Application Security Testing, Software Composition Analysis, and Dynamic Application Security Testing.

BlueConic also engages a qualified third party to conduct regular platform level vulnerability and penetration testing. The results are analyzed and vulnerabilities are addressed based on risk and severity.

Customers can perform penetration tests with advance permission. Guidelines for penetration testing are available on the support website.

Data At-Rest Protection

Customer data on the BlueConic platform including backups is encrypted at rest using a strong encryption algorithm (AES-256).

High Availability

BlueConic is designed to offer high availability and resilience to service disruption. Technical measures used to ensure high availability include: running BlueConic services in redundant clusters and utilizing multiple redundant cloud Availability Zones. Current system status and recent uptime statistics are continuously available at status.blueconic.com.

BlueConic has implemented a Business Continuity and Disaster Recovery program with frequent tests on the measures in place.

Incident Response

BlueConic has deployed a variety of security and monitoring tools for its production systems. There is 24x7 monitoring of the security status of its systems and automated alerts are configured for security, availability, and performance issues.

While we don't anticipate there being a breach of our systems, BlueConic has put a Security Incident Response Plan in place, which details roles, responsibilities, and procedures in case of an actual or suspected security incident.

Our Organization

All employees are subject to background checks that cover education, employment, and criminal history, to the extent permitted by local law. Employment at BlueConic requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

BlueConic applies to the principle of least privilege for access. All access and authorization rights are reviewed regularly. Access or authorization rights will be withdrawn or modified, as appropriate, promptly upon termination or change of role.

BlueConic also maintains an information security training program that is mandatory for all employees.

Vulnerability Disclosure

BlueConic welcomes reports of vulnerabilities or other security issues. Reports can be submitted to security@blueconic.com. Vulnerability reports will be acknowledged and reporters kept apprised of their report’s status.

We take security seriously

We’re committed to security, availability, and confidentiality

‍Our measures ensure security, availability, and confidentiality.

Ready to grow?