We take security seriously
BlueConic is committed to providing a highly secure and reliable customer data platform. We maintain the confidentiality, integrity, and availability of our customers' data using best-in-class security tools, technologies, practices, and procedures that follow industry standards and frameworks, including CIS and NIST.
We’re committed to security, availability, and confidentiality
BlueConic has completed a SOC 2 Type 2 audit for the Security, Availability, and Confidentiality Trust Services Criteria (see our announcement here). The SOC 2 Type 2 report provides assurance that BlueConic has designed and implemented effective controls to protect our customers’ interest and data as defined in the SOC 2 standards set by the American Institute of Certified Public Accountants (AICPA). A copy of our SOC 2 Type 2 report is available for customers upon request. Please contact your sales representative or account team.
Our measures ensure security, availability, and confidentiality.
We have put a number of measures in place to offer assurance in the use of BlueConic and the protection of the data.
The BlueConic user interface is only accessible over HTTPS. Traffic over HTTPS is encrypted and protected from interception by unauthorized third parties. BlueConic follows current best practices for security, including the use of industry standard TLS 1.2 and 1.3 encryption algorithms with a key length of at least 128 bits.
BlueConic also uses secure protocols for communication with third-party systems: usually HTTPS, but other protocols such as SFTP are also supported.
BlueConic uses a multi-tier architecture that segregates internal application systems from the public Internet. Public traffic to the platform passes through a load balancer and is then routed to interior systems running on private subnets. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules.
Users log in to BlueConic using a combination of username, password, and multi-factor authentication. Password length, complexity, and expiration standards are enforced. For passwords, a secure and salted hash of the password is stored.
BlueConic supports integration with third-party SAML-compliant Single Sign-On (SSO) systems. This allows an enterprise to manage access to BlueConic as well as other enterprise applications and apply custom authentication schemes and policies.
User-supplied credentials for connection to remote systems are encrypted using a 256-bit key, and automatic session logout is supported after a period of time.
BlueConic has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as unit and integration testing, are part of the process.
Development staff receive regular training on Secure Coding Practices, including avoidance of the OWASP Top Ten Web application vulnerabilities.
Security tooling is integrated in the software development lifecycle for Static Application Security Testing, Software Composition Analysis, and Dynamic Application Security Testing.
BlueConic also engages a qualified third party to conduct regular platform level vulnerability and penetration testing. The results are analyzed and vulnerabilities are addressed based on risk and severity.
Customers can perform penetration tests with advance permission. Guidelines for penetration testing are available on the support website.
Customer data on the BlueConic platform including backups is encrypted at rest using a strong encryption algorithm (AES-256).
BlueConic is designed to offer high availability and resilience to service disruption. Technical measures used to ensure high availability include: running BlueConic services in redundant clusters and utilizing multiple redundant cloud Availability Zones. Current system status and recent uptime statistics are continuously available at status.blueconic.com.
BlueConic has implemented a Business Continuity and Disaster Recovery program with frequent tests on the measures in place.
BlueConic has deployed a variety of security and monitoring tools for its production systems. There is 24x7 monitoring of the security status of its systems and automated alerts are configured for security, availability, and performance issues.
While we don't anticipate there being a breach of our systems, BlueConic has put a Security Incident Response Plan in place, which details roles, responsibilities, and procedures in case of an actual or suspected security incident.
All employees are subject to background checks that cover education, employment, and criminal history, to the extent permitted by local law. Employment at BlueConic requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.
BlueConic applies to the principle of least privilege for access. All access and authorization rights are reviewed regularly. Access or authorization rights will be withdrawn or modified, as appropriate, promptly upon termination or change of role.
BlueConic also maintains an information security training program that is mandatory for all employees.
BlueConic welcomes reports of vulnerabilities or other security issues. Reports can be submitted to firstname.lastname@example.org. Vulnerability reports will be acknowledged and reporters kept apprised of their report’s status.
Get in touch.
Talk with one of our experts to see how BlueConic can help you transform the way your business teams operate and power your growth initiatives with data.