information security + privacy

Overview

The security and privacy of your information is fundamental to our business. We have made significant investments to protect it and would never do anything with your information that we wouldn’t want done with ours. We take this seriously and make it a priority.  

---

 

Compliance

Bellomy products and services are ISO 27001 certified and SOC 2 Type 2 audited annually. We are HIPAA-compliant as well.

Our SOC 2 assessments include all Trust Services Criteria:

• Security
• Confidentiality
• Availability
• Processing Integrity
• Privacy

Please work with your Strategy Team or Client Services representative to inquire about or obtain:

• Full SOC 2 Type 2 Report
• Bridge/Gap Letters
• ISO 27001 Certificate
• HIPAA Business Associate Agreement (BAA)

 

Security & Privacy Teams

Bellomy’s dedicated Information Security and Privacy teams hold a variety of relevant industry certifications:

• ISC2: Certified Information Systems Security Professional (CISSP)
• EC-Council: Certified Ethical Hacker (CEH)
• Cisco: Certified CyberOps Associate (CCNA/CyberOps), Certified Network Associate (CCNA)
• CompTIA: Cybersecurity Analyst (CySA+), Security+, Security Analytics Professional, IT Secure Infrastructure Specialist, IT Operations Specialist, Cloud Essentials

 

Risk Management

Bellomy maintains a formal risk management program to understand and address our Information Security and Privacy risks. It is reviewed and audited annually by our internal and third-party/external audit teams. Please work with your Bellomy representatives for more information.

 

Employment

Employees and contractors undergo criminal record & employment background checks and sign confidentiality and non-disclosure agreements upon hire and before access to company or customer information. 

 

Awareness & Training

Bellomy employees are required to complete security awareness training upon hire and monthly thereafter. Coverage includes a variety of topics related to information security and privacy. 

 

Access & Authentication Controls

Information access is role-based and need-to-know. We enforce multi-factor authentication for access to confidential information and use separate accounts for normal vs admin duties. Where applicable, system access is restricted by IP address. 

 

Encryption

Bellomy leverages AWS to encrypt information in-transit (TLS) and at-rest (AES-GCM 256). We use Load Balancer and CloudFront security policies to enable in-transit encryption for our web applications. We use the AWS Key Management Service (KMS) to enable encryption at-rest for information within databases (RDS), S3, and EC2. 

 

Backups & Retention

Bellomy retains one year of database backups and three years of audit and application logs. These backups are stored encrypted in accordance with the Encryption section above. To request project data removal, please work with your Sales Team or Client Services Manager.

 

Business Continuity / Disaster Recovery

Bellomy engineers have designed scalable and resilient product architecture within AWS. Systems and application performance are monitored for key metrics, ensuring the load on any one system is within an acceptable range. Critical information is replicated to AWS data centers in different regions and availability zones. Bellomy performs annual disaster recovery exercises to test and validate recovery objectives. 

 

Project Management

Bellomy project managers work with care and diligence to keep your project running smoothly. We partner with you to understand your project’s unique risk needs and develop a plan to keep your project on-track, on time, worked by the right people, and secure.

 

Change Control

Changes to systems and applications are evaluated, risk assessed, and tested before putting into production. Requests are logged, tracked, and require appropriate approvals and acceptances before going live.

 

Code Security & Updates

We use a gated deployment process with human-curated steps to ensure quality, security, and stability. Code changes are peer-reviewed statically and dynamically scanned for security problems, approved by separate QA staff, and verified in testing environments before being pushed into production. The test and production environments are logically separated, and testing data is carefully selected, protected, and controlled. 

 

Logging & Monitoring

Bellomy collects audit and application logs from all systems in accordance with industry standards. These logs are stored in an encrypted, centralized logging facility and kept for a period of three years.  

 

Vulnerability Scanning

Our Information Security team performs monthly web application and system vulnerability scans. Vulnerabilities found during these scans or any other vulnerability discovery activities are verified, categorized, evaluated for actual risk, and remediated as appropriate.

 

Penetration Testing

Bellomy performs third-party penetration testing against internal and external facing systems. These are done quarterly and upon significant system change.

 

Data Center Location

Bellomy operates within Amazon Web Services (AWS). AWS follows the Shared Responsibility Model. They are responsible for the security of the cloud, and Bellomy is responsible for security in the cloud. Information regarding the compliance of AWS data centers can be found on the AWS compliance website here. If you are required to review the data center SOC report, you can review the latest AWS SOC3 report located here: AWS SOC3 Report. 

AWS Regions

Currently we operate data centers in the United States at the following:

• Amazon AWS Data Center in the United States, N. Virginia (us-east-1)
• Amazon AWS Data Center in the United States, Ohio (us-east-2)

 

Artificial Intelligence (AI)

We consider our AI-informed technology superior to purpose-built market research alternatives, and we continually evolve and update them according to the most recent technology and industry best practices. Our tools are built to protect the data of our clients and ensure that AI platforms cannot learn from client data. 

In addition:

• We employ multiple AIs in a proprietary ensemble model.
• OpenAI is used in some parts of our implementation.
• Bellomy’s proprietary AIs are maintained in our AWS data center within our full control. OpenAI is utilized as a SaaS provider for their portion of the implementation.
• Client data is not used to train the AI. Fragments of client data are supplied to the AI for specific in-the-moment AI uses, but these are not used to train the AI and are not retained by OpenAI.

For additional information on Bellomy’s AI policy and current status, visit aianalytics.bellomy.com/security.