Information Security & Privacy


Bellomy respects your (and your customers’) information. We have made significant investments to protect it and would never do anything with your information that we wouldn’t want done with ours. We take this seriously and make it a priority.   

Keeping your information secure and private is fundamental to our business. 


Bellomy products and services are ISO 27001 certified and SOC 2 Type 2 audited annually. We are HIPAA-compliant as well. 

Our SOC 2 assessments include all Trust Services Criteria: 

  • Security 
  • Confidentiality 
  • Availability 
  • Processing Integrity 
  • Privacy 

Please work with your Sales Team or Client Services Manager to inquire about or obtain: 

  • Full SOC 2 Type 2 Report 
  • Bridge/Gap Letters 
  • ISO 27001 Certificate 
  • HIPAA Business Associate Agreement (BAA) 

Security & Privacy Teams 

Bellomy’s dedicated Information Security and Privacy teams hold a variety of relevant industry certifications: 

  • ISC2: Certified Information Systems Security Professional (CISSP) 
  • EC-Council: Certified Ethical Hacker (CEH) 
  • Cisco: Certified CyberOps Associate (CCNA/CyberOps), Certified Network Associate (CCNA) 
  • CompTIA: Cybersecurity Analyst (CySA+), Security+, Security Analytics Professional, IT Secure Infrastructure Specialist, IT Operations Specialist, Cloud Essentials 

Risk Management     

Bellomy maintains a risk management program to understand and address our Information Security and Privacy risks. It is reviewed annually and audited during our internal and third-party external audits (ISO 27001, SOC 2). Please work with your Sales Team or Client Services Manager for more information about Bellomy’ s Risk Management Program.  


Employees undergo criminal record & employment background checks and are required to complete various training. 

Employees and contractors sign confidentiality and non-disclosure agreements upon hire and before access to company or customer information. 

Awareness & Training 

Bellomy employees are required to complete security awareness training upon hire and monthly thereafter. Coverage includes a variety of topics related to information security and privacy.  

Access & Authentication Controls 

Information access is role-based and need-to-know. We enforce multi-factor authentication for access to confidential information and use separate accounts for normal vs admin duties. Where applicable, system access is restricted by IP address.  


Bellomy leverages AWS to encrypt information in-transit (TLS) and at-rest (AES-GCM 256). We use Load Balancer and CloudFront security policies to enable in-transit encryption for our web applications. We use the AWS Key Management Service (KMS) to enable encryption at-rest for information within databases (RDS), S3, and EC2.  

Backups & Retention 

Bellomy retains one year of database backups and three years of audit and application logs. These backups are stored encrypted in accordance with the Encryption section above.  To request project data removal, please work with your Sales Team or Client Services Manager. 

Business Continuity / Disaster Recovery 

Bellomy engineers have designed scalable and resilient product architecture within AWS. Systems and application performance are monitored for key metrics, ensuring the load on any one system is within an acceptable range. Critical information is replicated to AWS datacenters in different regions and availability zones. Bellomy performs annual disaster recovery exercises to test and validate recovery objectives.  

Project Management 

Bellomy project managers work with care and diligence to keep your project running smoothly. We partner with you to understand your project’s unique risk needs and develop a plan to keep your project on-track, on-time, worked by the right people, and secure. 

Change Control 

Changes to systems and applications are evaluated, risk assessed, and tested before putting into production. Requests are logged, tracked, and require appropriate approvals and acceptances before going live. 

Code Security & Updates 

Our Applications team uses a gated deployment process with human curated steps to ensure quality, security, and stability. Code changes are peer reviewed, statically and dynamically scanned for security problems, approved by separate QA staff, and verified in testing environments before pushed into production. The test and production environments are logically separated, and testing data is carefully selected, protected, and controlled.  

Logging & Monitoring 

Bellomy collects audit and application logs from all systems. These logs are stored encrypted in a centralized logging facility separate from the system generating the logs. The log entries are in line with industry standards for audit trails. Bellomy maintains these logs for a period of three years for the business purpose of investigating past system activity.  

Vulnerability Scanning 

Our Information Security team performs regular web application and system vulnerability scans. Vulnerabilities found during these scans or any other vulnerability discovery activities are verified, categorized, evaluated for actual risk, and remediated as appropriate.

Penetration Testing     

Bellomy performs 3rd party penetration testing against internal and external facing systems. These are done quarterly and upon significant system change. 

Data Center Location 

Bellomy operates within Amazon Web Services (AWS) according to the Shared Responsibility Model. Information regarding the compliance of AWS data centers can be found on the AWS compliance website here. If you are required to review the data center SOC report, you can review the latest AWS SOC3 report located here: AWS SOC3 Report.  

AWS Regions 

Currently we operate data centers in the United States at the following: 

  • Amazon AWS Data Center in the United States, N. Virginia (us-east-1) 
  • Amazon AWS Data Center in the United States, Ohio (us-east-2)