Security at Bloomreach

Ensure stability by enabling your team to create, send, test, and analyze campaigns, all within the same user-friendly platform.

Think Outside the Search Box

We create a strong security culture here at Bloomreach, as each and every employee is an essential part of our defense against potential breaches.

This culture is present at all stages, including the hiring process, employee on‑boarding, and ongoing training and company events. All new employees are required to agree to our NDA and go through OWASP training. This shows our commitment to keeping the data of our customers secure.

The developers in the IT segment receive instructions on topics like best coding and development practices, the principle of least privilege when granting access rights, etc. The IT department also attends technical presentations on security‑related topics, and receives regular updates on the newest issues from the Cybersecurity space in our security channel.

Bloomreach has valid certifications to show how seriously we take the topics of security and compliance. We currently have the following certifications:

ISO 9001
ISO 27001
ISO 27017
ISO 27018
ISO 22301
GDPR certification
SOC 2 (Type 1) Report (Provided upon request)

Security Management

Endpoint Security

We ensure all of our endpoint devices are protected according to our Endpoint Security Policy. This includes disc encryption, malware protection, guest access disabled, firewall, and regularly updated operating systems. In addition, we perform regular checks to make sure that we maintain this high level of security.

Vulnerability Management

Bloomreach has a vulnerability management policy that includes processes such as regular web scans and scans for potential threats. Once a vulnerability requiring our attention has been identified, it is tracked and assigned for resolution.

Quality Assurance

It is vital for us to properly test all new features before implementing them so that we make sure no unexpected vulnerabilities are introduced to the application. The QA team guarantees that all new additions to our application are bug‑free prior to release. They also test private instances for our fresh clients just before they get into the hands of our Client Services team.


Our security monitoring is performed on information collected from internal network traffic and the knowledge of our vulnerabilities. Internal traffic is checked for any suspicious behavior. Network analysis and examination of system logs in order to identify unusual behavior are a vital part of monitoring. We place search alerts on public data repositories to look for security incidents and analyze system logs.

Incident Management

Bloomreach has well‑defined incident management processes for security events that may affect the confidentiality, integrity, or availability of our clients' resources or data. If an incident occurs, the security team identifies it, reports it, assigns it, and gives it a resolution priority based on its urgency. Events that directly impact our customers are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.


To ensure our Security Management is transparent and the details are shared with those who need to see it the most, we also hold a SOC 2 Report. This report can be provided on request under an NDA and gives an overview of Bloomreach’s technical and organizational security measures.

Protecting Our Clients' Data

Whenever we store data in the cloud, there are several layers of encryption. By default, data is encrypted both at rest and in transit. Additional security controls are implemented depending on the requirements of our customers.

Without any further implementations, our cloud providers encrypt and authenticate all data in transit at one or more network layers when data moves outside physical boundaries not controlled by or on behalf of the cloud provider. Google and Amazon use the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. Transport Layer Security (TLS) is used to encrypt data in transit for transport security.

Bloomreach supports our customers in finding the best ways to be compliant with the GDPR. The engagement pillar works in such a way that the clients have complete control of consent management (they set a purpose for processing), data subject rights management (they can download all customer data, anonymize a customer, or delete a customer).

Bloomreach has access management that enables the users to select specific data types as PII and then set/revoke permission to see PII per user. For every event, it is possible to manage its retention and set expiration separately. In addition, data API enables the clients to integrate their systems to enable fast execution of data subjects requests.