At Bound, we take security seriously. We know that customers rely on us to provide reliable, uninterrupted service, and a core element of that mission is to ensure that our systems and data are secure.
This page provides high-level information about our security philosophy and practices. For detailed answers to specific security questions, please contact your Bound account representative.
Our Approach To Security
At Bound, our security program focuses on three core areas:
- People, policies and procedures
- Technical infrastructure, data storage, and vendors
- Industry best practices and certifications
In the following sections, we outline the variety of initiatives, programs and mechanisms that Bound applies to each of these three areas.
People, Policies and Procedures
People are at the frontlines of security, and it's important that Bound employees are knowledgeable and experienced in areas related to security and privacy. As such, we require that all Bound employees and contractors:
- Receive ongoing security awareness training
- Are regularly tested on security matters, via techniques like phishing simulations
- Undergo rigorous security screening prior to onboarding
Employees and contractors must understand and agree to Bound's policies related to information security, device security, vendor security, data management and encryption, access control and risk management.
In all areas, Bound maintains a policy of “least privilege”, meaning that employees, contractors, customers and 3rd parties only receive the minimum permissions required to perform their specific duties. Accounts, users, and access are audited regularly to ensure compliance with this policy.
Bound maintains a thorough risk management process, which is used to assess the risks of large projects to all stakeholders and to Bound's employees and reputation. This process helps Bound understand the security risks associated with large projects, and to help reduce or eliminate those risks.
Bound maintains a detailed and regularly audited incident response plan, which includes internal roles and protocols for staff to assume during a security incident. Incidents may be reported by Bound employees, or by third parties via email (firstname.lastname@example.org).
Bound promptly notifies customers, partners, users, affected parties, and regulatory agencies of relevant incidents or breaches in accordance with Bound policies, contractual commitments, and regulatory requirements.
All of the above practices are subject to ongoing review and improvement, on at least a yearly cadence.
Technical Infrastructure, Data Storage, and Vendors
Bound employs a defense-in-depth approach to network security, using layered mechanisms and techniques to achieve network separation and security.
Environments are separated by deployment stage&emdash;meaning that staging and production environments are isolated. This prevents communication between staging and production services and resources. In addition, production data is never used in or accessed by staging or development environments (except in cases where it is fully anonymized, and used for troubleshooting of a customer-specific issue).
Environment and service isolation is further achieved via limited routing rules, access controls lists, and network security controls at the resource level.
All activity within Bound's environment is logged and monitored. Alerts and reports are configured to detect and respond to unusual activity.
External endpoints (such as Bound's API and administrative interface) are protected by a layered suite of mechanisms. These include, but are not limited to, automated systems to prevent DDOS attacks, detect network intrusions, log and alert on configuration changes, and prevent common exploits like XSS and SQL injection attempts.
Bound's administrative interface is protected by built-in limits which prevent brute force login attempts, and by policies which force password rotation.
Code Repositories and 3rd Party Code
Bound maintains private code repositories for its resources, with access limited to a bare minimum of users. Bound uses static analysis tools to detect vulnerabilities and deficiencies in its code, and requires human review of every change/commit.
Bound analyzes all 3rd party packages using automated tools to detect vulnerabilities, and does not deploy vulnerable code without compensating controls or remedies in place.
Bound's build and deploy pipeline is logically separate from staging and production environments, and does not have access to Bound data or services. Build and deploy tools have the minimum permissions required to generate deployment artifacts, and to publish them to a storage bucket.
All data in Bound's custody is stored in systems with a bare minimum of access permissions. All data is encrypted at rest using AES-256, and can only be accessed via encrypted connections. Data is backed up to a versioned, object-locked secondary storage location for disaster recovery purposes, and to help guard against ransomware attempts.
All Bound vendors are vetted according to policies that ensure their reliability and security.
Auditing and Testing
Bound regularly audits its environments and services for misconfigurations, vulnerabilities, and best practice adherence. Each change introduced to Bound's systems is tested for functionality and security. In addition to internal auditing and testing programs, Bound conducts annual 3rd party penetration tests.
Industry Standards and Certifications
Wherever possible, Bound endeavors to meet or exceed industry best practices and standards.
In some areas, Bound adheres to ISO standards. For example, Bound's business continuity and disaster recovery procedures incorporate ISO 22301 standards. Bound endeavors to integrate more ISO standards during each annual security review.
On a quarterly basis, Bound audits and improves our compliance with PCI DSS standards, and with the CIS AWS Foundations Benchmark (a subset of CIS), in addition to AWS' Foundational Security Best Practices. At any given time, Bound aims to achieve 95% or higher compliance with these standards.
Bound is SOC2 Type 1 compliant.