Security at Bloomreach
Ensure stability by enabling your team to create, send, test, and analyze campaigns, all within the same user-friendly platform.
Think Outside the Search Box
SOC2 Type II
Bloomreach officially earned its SOC 2 Type II Certification as of March 14, 2023, and has met the rigorous standards set by the American Institute of Certified Public Accountants (AICPA) for the company.
The SOC 2 Type II report verifies the effectiveness of our information security controls that ensure the security, availability, and confidentiality of the data in our care, and consists of an opinion letter from the auditor, management's assertion of compliance, the description of the systems being reviewed, the description of the test of controls and the results of that testing.
Our SOC2 Type II certificate can be provided upon request with proper confidentiality assurance.
We create a strong security culture here at Bloomreach, as each and every employee is an essential part of our defense against potential breaches.
This culture is present at all stages, including the hiring process, employee on‑boarding, and ongoing training and company events. All new employees are required to agree to our NDA and go through OWASP training. This shows our commitment to keeping the data of our customers secure.
The developers in the IT segment receive instructions on topics like best coding and development practices, the principle of least privilege when granting access rights, etc. The IT department also attends technical presentations on security‑related topics, and receives regular updates on the newest issues from the Cybersecurity space in our security channel.
We ensure all of our endpoint devices are protected according to our Endpoint Security Policy. This includes disc encryption, malware protection, guest access disabled, firewall, and regularly updated operating systems. In addition, we perform regular checks to make sure that we maintain this high level of security.
Bloomreach has a vulnerability management policy that includes processes such as regular web scans and scans for potential threats. Once a vulnerability requiring our attention has been identified, it is tracked and assigned for resolution.
It is vital for us to properly test all new features before implementing them so that we make sure no unexpected vulnerabilities are introduced to the application. The QA team guarantees that all new additions to our application are bug‑free prior to release. They also test private instances for our fresh clients just before they get into the hands of our Client Services team.
Our security monitoring is performed on information collected from internal network traffic and the knowledge of our vulnerabilities. Internal traffic is checked for any suspicious behavior. Network analysis and examination of system logs in order to identify unusual behavior are a vital part of monitoring. We place search alerts on public data repositories to look for security incidents and analyze system logs.
Bloomreach has well‑defined incident management processes for security events that may affect the confidentiality, integrity, or availability of our clients' resources or data. If an incident occurs, the security team identifies it, reports it, assigns it, and gives it a resolution priority based on its urgency. Events that directly impact our customers are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.
To ensure our Security Management is transparent and the details are shared with those who need to see it the most, we also hold a SOC 2 Report. This report can be provided on request under an NDA and gives an overview of Bloomreach’s technical and organizational security measures.
Protecting Our Clients' Data
Whenever we store data in the cloud, there are several layers of encryption. By default, data is encrypted both at rest and in transit. Additional security controls are implemented depending on the requirements of our customers.
Without any further implementations, our cloud providers encrypt and authenticate all data in transit at one or more network layers when data moves outside physical boundaries not controlled by or on behalf of the cloud provider. Google and Amazon use the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. Transport Layer Security (TLS) is used to encrypt data in transit for transport security.
Bloomreach supports our customers in finding the best ways to be compliant with the GDPR. The engagement pillar works in such a way that the clients have complete control of consent management (they set a purpose for processing), data subject rights management (they can download all customer data, anonymize a customer, or delete a customer).
Bloomreach has access management that enables the users to select specific data types as PII and then set/revoke permission to see PII per user. For every event, it is possible to manage its retention and set expiration separately. In addition, data API enables the clients to integrate their systems to enable fast execution of data subjects requests.