Security at Bambuser

Information security is considered one of the most important areas in Bambuser.

Bambuser is ISO-certified

At Bambuser, we take information security very seriously. We are proud to announce that our Stockholm site has successfully achieved ISO 27001 certification, a globally recognized standard for information security management systems. This certification demonstrates that Bambuser has implemented effective security controls and processes to protect our information assets, including any information that we hold on behalf of our customers. By achieving this certification, we are committed to maintaining the confidentiality, integrity, and availability of our customer’s data, and we continuously monitor and improve our security practices to ensure that we remain compliant with the standard.

Bambuser considers security as a high priority. The IT solutions have been built from the outset using the core principles of information security.

N°1
Confidentiality
Prevent the disclosure of information to unauthorized individuals or systems.
N°2
Integrity
Maintain and assure the accuracy and consistency of data over its entire lifecycle.
N°3
Availability
Ensure the information is available when and where it is needed.

Access control

Provisioning
To minimise the risk of data exposure, Bambuser adheres to the principle of least privilege and role based permissions, which means that workers are only authorized to access data that they must handle to fulfill their job responsibilities. Access to production environments are reviewed regularly.
Authentication
Bambuser employs multi-factor authentication for all critical systems, including our production environment which houses our customer data.
In addition, Bambuser uses private keys for authentication where this is possible and appropriate.
Password management
Personnel at Bambuser are required to use an approved password manager to avoid password reuse, phishing and other password related risks.

Architecture

Cloud infrastructure
Bambusers infrastructure is fully cloud based and hosted at Google Cloud Platform and Amazon Web Services. Both are separated into a security and monitoring layer, API layer, compute layer, query layer and storage layer.
Network Infrastructure
All traffic passing to Bambusers network is managed by security groups or virtual firewalls. Bambuser uses a method where systems are segmented into private subnets to heighten the security standard. The traffic is continuously monitored.

Event management

Monitoring, logging and alerting
Bambuser monitors servers, networks and mobile devices to keep updated on the security state of the infrastructure. Alerts of misconduct or incidents are set up in a monitoring tool for visibility. Audit logs, application logs & security logs are all kept for in between 90 days - 2 years.
Incident
Management
Bambuser have set up clear policies to detect, assess, log & respond to incidents. All incidents are managed by a dedicated incident response team. If an incident has an impact on customers, they will be informed asap.
Change
management
All changes to Bambusers operational or protection systems must be approved and documented. Changes must be performed following our change management procedure.

Business continuity

Disaster Recovery
A Disaster Recovery Plan including all resources and processes necessary for recovery of our IT infrastructure and services within set deadlines is in place. Disaster recovery exercises are done independently according to documented run books. Bambuser does a partial Disaster Recovery exercise every 6 month and a full one once a year on the identified business critical infrastructures. Those exercises are focused on scenarios with full zone loss and alternative zone recovery.
Business Continuity
Bambuser have established a Business Continuity Plan to make sure critical operations, functions and technology can be kept up running even in case of an emergency.
Backup
Bambuser have implemented redundant backups, archiving and restoration to ensure that information supporting business processes remains accurate and can be restored for all critical functions.

Customer data

Data retention
and disposal
Customer personal and video data is removed 30 days upon expiration of the Bambuser services, or earlier if required by customer. The data is hard deleted from currently running production systems.

Vendor
management

Sub-service organisations
To run efficiently, Bambuser relies on sub-service organizations. Where those sub-service organizations may impact the security of Bambusers production environment, we take appropriate steps to ensure our security posture is maintained. The confidentiality agreements we have made with our users also adhere to our service organisations. Moreover, Bambuser perform risk assessments on suppliers handling important data before going in to a partnership.
Cloud Providers
Our cloud providers is our by far most important suppliers. It is important for us that our data remains safe, which is why we value that both Google Cloud Platform and Amazon Web Services have invested in high class security. Both providers are certified within standards as ISO 27001 and SOC 2/3.

External validation

Internal Audits
Bambuser is always striving to improve the design and operating effectiveness of our security controls. Monitor and review of controls are performed continuously both in-house and by certified third parties.
Penetration testing
At least annually, Bambuser engages independent penetration testers to conduct tests on our environments. Potential findings and risks are remediated according to prioritisation order in a timely manner. Results from the penetration tests can be provided to our customers upon request.

Ready to reach all-new records?

Whether you’re 100% prepared to scale your e-commerce or need more info, Team Bambuser are ready to tailor to your perfect needs.

Request a Demo