SecurityYour data security is our top priority. That's why we use best-in-class 256-bit TLS encryption, advanced firewall protection, perform regular external security audits, and have ISO 27001 certified data centers.
INDUSTRY LEADING SECURITY
Meet our Data Protection Officer
As Global Head of Risk & Compliance & Data Protection Officer for Beekeeper, Amir Ameri is an accomplished professional with more than 20 years of technical and leadership experience in Operational Risk Management. He specializes in Cybersecurity, Data Protection, and Privacy fields in Swiss and international financial and banking sectors. After completing his Ph.D. dissertation in developing a framework for managing technology risks, Amir completed his Master of Law to better position his understanding of the interaction between technology and legal and regulatory requirements.
Does Beekeeper have Information Security & Data Protection specific policies, standards, or guidelines?
Yes. Beekeeper has a Governance Model, derived from the ISO 27001 Control Objectives along with other resources.
Are owners of the documents assigned and is there a review process for maintaining the documents?
Yes. All policies have identified owners and an annual review process is part of the Risk Management process.
Does Beekeeper have an embedded Operational Risk Management Process for identifying / responding / reporting on risks?
Yes. The RM process and ownership is by Risk & Compliance. BERI (Beekeeper Risk Inventory) is the depository of all identified risks, along with mitigating measures and their status. Risk & Compliance has a weekly Risk Management meeting with Engineering and a bi-weekly meeting with Sales & Customer Success Managers to review BERI.
Are the technology measures recommended or required in the General Data Protection Regulation (GDPR) and the Swiss Data Protection Act used by Beekeeper in its strategy and implementation to protect the security of data and privacy of the person?
Yes. Beekeeper uses GDPR as the umbrella for the data protection requirements on personal data. For our Swiss customers, the Swiss DPA is implemented should any deviations be required by the customers. Technical measures such as use of encryption technologies are standard and embedded in Beekeeper's product and service lines. Processes such as performance of Privacy Impact Assessments before release of any new product or service line is part of our product and service development lifecycle.
If you have more questions, read our Q&A on data privacy with our DPO Dr. Amer Ameri.
Does Beekeeper have a very granular Logging and Monitoring Policy which covers all details necessary for investigative purposes?
Yes. Beekeeper logging and monitoring is according to its Logging & Monitoring Policy, which is derived based on the requirements from the following sources:
- General Data Protection Regulation (GDPR)
- Swiss Data Protection Act
- Swiss Federal Act on Surveillance of Postal and Telecommunication Traffic
- U.S. National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information - Technology Systems
- U.S. National Institute of Standards and Technology (NIST) Special Publication 800-92, Guide to Computer Security Log Management
- IT Compliance Institute-Logging, Monitoring and Reporting
- ISO 27001-27002 Logging and Monitoring Control Objectives
- PCI Security Standards Council-Effective Daily Log Monitoring
Beekeeper logs the following parameters:
- Time & date stamp
- IP address details (client IP)
- User name & ID
- Type of access / activity attempted or performed (read/update/create/delete)
- Success or failure status of the event
- System or module
- Full URL accessed
- Interface details (web based, mobile client, etc.)
- Browser type
Does Beekeeper have an Incident Management Policy and supporting processes?
Yes. Beekeeper has defined and implemented an Incident Management Policy as a document, as well as the relevant processes according to Articles 33, 34 of the GDPR.
Does Beekeeper have a Change Management Policy and supporting processes?
Yes. Beekeeper has defined and implemented a Change Management Policy, as well as the relevant processes best on a Segregation of Duties principle according to various best practices including ITIL, ISO, and NIST resources.
Does Beekeeper have a Business Continuity / Disaster Recovery Policy that is tested?
Yes. Beekeeper has a complete Business Continuity and Disaster Recovery Policy defined and made available. Quarterly tests have been performed with various scenarios resulting in recovery requirements.
Does Beekeeper have Controlled Access to Production processes embedded for Beekeeper Support Personnel?
Yes. Beekeeper utilizes an Access to Production process request for all employee requests for provisioning of support. The Customer is provided with the Information Security Policy for Beekeeper Customer document, identifying all functions with access to production. Access to production is based on temporary issuance of certificates with a limited validity period. Beekeeper employees are subject to mandatory background checks, and access is limited by the "need to know-need to have" principle. All access is based on 2 factor authentication.
Is Beekeeper employee access in accordance to the 4-eyes principle and "need to know-need to have" principle?
Are ALL Beekeeper systems operated in an ISO 27001 Certified Data Center?
Has Beekeeper appointed a Data Protection Officer (DPO)?
Yes. Dr. Amir M. Ameri. ([email protected])
Does Beekeeper perform regular vulnerability and penetration testing of their products?
Yes. Beekeeper uses Qualys for regular vulnerability tests of the product code before release to production. Further, Beekeeper performs annual Full Penetration Testing by an external specialized Penetration Testing Company. Prospects and customers may receive a copy of the penetration testing report upon signing a Non Disclosure Agreement with Beekeeper. Further, Beekeeper contractually obligates itself to a Customer's Right to Audit. Customers who do perform their own tests do so on their own tenant only and agree to a full disclosure of their reports and findings with Beekeeper.
Do Beekeeper customers have a Right to Audit?
Yes. Contractually agreed as a standard practice with Beekeeper.
Does Beekeeper sign a Data Processing Agreement with their customers?
Does Beekeeper have regular Training & Awareness sessions for their employees?
Yes. In accordance to GDPR requirements, Beekeeper has 2 mandatory annual Traning & Awareness sessions for ALL employees on the topic of Information Security and Data Protection & Privacy. Further, specialized topics are covered by employees' visiting internal and/or external training sessions. Beekeeper offers Bee University sessions as internal weekly or bi-weekly options for further training.
Does Beekeeper have a Data Retention & Deletion Policy and the necessary supporting processes?
Yes. A Data Retention & Deletion Policy exists. The Customer Success Manager appointed for each customer is the entry point for any requests. The Policy is according to GDPR and NIST resources and where applicable any special local or jurisdictional requirements. Beekeeper further contractually regulates these requirements with the customer, as defined in the Master Subscription Agreement.
Can we integrate our Identity Management solutions for Single Sign On or Active Directory with Beekeeper products and services?
Yes. Beekeeper uses SAML 2.0 for integration of Single Sign On and/or Active Directory solutions with the customer.
Does Beekeeper have solutions for Archiving of communication (Chats)?
Yes. Beekeeper provides access to Authenticated and Authorized Customers access to their Data for Archiving purposes based on the REST API. Please request a contact on this topic with Beekeeper's Data Protection Officer.
Does Beekeeper utilize relevant security techniques such as encryption?
Yes. According to our Security White Paper.
Does Beekeeper provide its customers Service Level Agreements for 99.9 % availability?
Yes. This may be observed by anyone on status.beekeeper.io. Customers may sign up with an email or mobile number to receive any service incident alerts on the same site.
Can we use our Mobile Device Management (MDM) for deployment of the Beekeeper apps?
Yes. Beekeeper mobile apps may be distributed via MDMs.