Security

Information Security is at the heart of everything we do at BitSight.

So we’d like to explain how we store, process and secure our services. We have partnered with some of the best service providers in the world to ensure that we keep our customer’s information confidential, available and unaltered.

Last updated March 14, 2024

BitSight Security Rating

 

Gain full transparency into what our security practices are like—we lean on our data, analytics, and technology to keep our security performance strong. By showing you our BitSight Badge™, we demonstrate our ongoing commitment to better protecting ourselves and our third-party partners from cyber incidents. Plus, we’re giving you a front row seat to see how we maintain a high rating.

 

 

How can I report a potential security issue?

We value the efforts of security researchers who have discovered security concerns. To streamline submissions, validation, and remediation where necessary, BitSight has partnered with Bugcrowd to launch a Managed Bug Bounty program. To be invited to BitSight’s Bug Bounty, please contact us confidentially by emailing [email protected] with a high-level overview of your findings and the details of your location.

A member of our team will invite you to our Bugcrowd Program so that you may submit your research and, if successfully validated to be within the scope of our program, may reward you for your research.

 

Where is customer data hosted?

BitSight is a SaaS platform that is 100% cloud-based in Amazon Web Services. We do not operate our own physical servers, routers, load balancers, or DNS servers. All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from reaching our internal network. Role-based access control (RBAC) is used to ensure only employees that need access to customer data have access.

 

Hosting Facilities

BitSight products run on world class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Amazon data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards.

 

global-security

 

SOC 2 Type 2  

BitSight has a report on Controls at a Service Organization Relevant to Security available for review. To request the report, please reach out to [email protected] for access to a self-service portal that also contains our internal policies, our most recent third-party penetration testing results, and pre-completed SIG Core and SIG Lite assessments.

This report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in: 

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

There are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of this report is restricted.

In addition, our SOC 3 report attesting to BitSight's commitment to meeting the rigorous industry standards established by the Trust Service Principles (TSPs) is publicly available.

soc-aicpa
Download SOC 3 Report

 

Privacy Regulations

BitSight is headquartered in the U.S. and all personal data is hosted in the United States. For those customers with European users or users in a jurisdiction that requires additional data protection requirements, our standard terms of service have an integrated Data Sharing Agreement which can be found at https://www.bitsight.com/dsa. For customers who would like to enter into a separate data protection agreement with us (including the standard contractual clauses), please send an email to [email protected].

BitSight complies with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework  as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and Switzerland. Please click here for more information on our Data Privacy Framework certification.

BitSight also complies with the APEC Cross Border Privacy Rules (CBPR) System and APEC Privacy Recognition for Processors (PRP) System. The APEC CBPR and PRP systems provide a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found here.

BitSight is CCPA compliant.

Please see our privacy policy for more information on how we process personal data.

 

Network Security

We protect communications between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. For example, all network traffic runs over HTTPS (TLS), internal assets are isolated using strict filtering policies allowing only communication that is required and by default all access is denied and only explicitly allowed.

 

Security Operations 

If we see something, we’ll react and remedy the issue. We’re not resting on our laurels. We’re looking for breaches and system interruptions all the time. We’ve invested in ensuring we can detect and respond to security events and incidents that impact our infrastructure. Security Operations at BitSight is responsible for ensuring that:

  • We respond to all Infosec and US-CERT alerts in an expedient fashion.
  • Incidents are responded to and communicated to all appropriate parties.
  • Corrective actions are executed.
  • Root cause analysis is performed.
  • Lessons learned are fed back to the appropriate internal teams.

 

System Security

We’re always updating our systems to protect your data. Our virtual systems are replaced on a regular basis with new, patched systems. System configuration and consistency is maintained using a combination of configuration management, up-to-date images and continuous deployment. Through continuous deployment, existing systems are decommissioned and replaced by up-to-date images at regular intervals. 

 

Restricted Access

Only people who need access, get access. Production system access is limited to key members of the BitSight Operations team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric RSA public/private keys and a certificate based multifactored VPN connection. 

 

Third Party Assessments 

Don’t just take our word that our systems are secure. Even though BitSight services and processes are designed with security in mind, regular vulnerability tests are run to identify and remediate potential weaknesses. Periodic penetration and web application security assessments are conducted under the guise of expert third party vendors to ensure our applications and services are continually scrutinized for potential risk. In addition these tests can include static code analysis, white box and black box testing for vulnerabilities. 

 

Logging

We’re watching to find misuse or occasional problems. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in real-time and over secure channels to a centralized logging service. This also allows our operations and development teams to view logs without the need to access to the production systems. We collect everything from application logs to AWS CloudTrail logs which form a complete audit trail of user and employee activity. 

 

Application Level Security 

We prevent single points of failure. Even if one system goes down or is breached, the rest of our services stay up and secure. All services are logically segmented following best practices, such as running applications services on dedicated instances. All login pages are secured via TLS over external and internal networks, and only certificates signed by well known Certificate Authorities (CAs) are allowed. All business-related communications, such as email and CRM, are encrypted while in transit as well as at rest. BitSight customer application passwords are hashed and salted at rest and even our own staff can’t retrieve them — if lost the password must be reset.

 

Encryption

The BitSight Security Ratings utilizes TLS 1.2 encryption or higher for all data in transit. Data at rest is encrypted using Amazon RDS encrypted DB instances that use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances.

 

Data Protection, Continuity and Retention

We backup and test our systems, just in case. Production data is mirrored to remote systems and automatically backed up on a regular basis. Production databases are replicated to avoid single points of failure. Recovery procedures are tested regularly by restoring from backup and simulating recovery of a production database. Backup retention varies by function and business impact. All production applications are deployed in multiple availability zones and leverage AWS Multi-AZ technology, which can sustain the loss of an entire data center in a region.

 

Internal IT Security

We protect our own systems to protect your data. BitSight offices are protected behind network firewalls by well-known security vendors and secured by keycard access. Our employee laptops are imaged and managed using leading MDM software. Collaborative tools like email, document shares and calendars require two factor authentication to mitigate phishing attacks. Critical infrastructure passwords are locked in a virtual vault using AES-256 encryption and can only be accessed by a handful of individuals in the organization.

 

Training and Awareness

BitSight requires all employees and contractors to sign a confidentiality agreement prior to commencement of employment or the provision of services. Security awareness training is delivered to all employees and contractors and we continually publicize security alerts through our internal communication channels.

 

Questions?

If you have any questions about our security, feel free to reach out to our security team at [email protected].