Security

Your data security is our top priority. That's why we use best-in-class 256-bit TLS encryption, advanced firewall protection, perform regular external security audits, and have ISO 27001 certified data centers.
Beekeeper collaborations hub
Beekeeper Communication Streams

VIRTUAL PRIVATE CLOUD

  • Hosted in ISO 27001 certified data centers

  • Customer's choice of data center location

  • Jurisdiction restricted processing

  • Highly secure cloud-based SaaS offering

MULTI-TENANCY

  • Multi-layer tenant data segregation
  • Each tenant runs on separate domain
  • Customer maintains control over their tenant

CUSTOMER CONTROLS ACCESS

  • Role-based permissions via Admin Dashboard
  • Integrates with your existing Identity Management
  • SAML 2.0 interface to Single Sign-On & Active Directory

FULL ENCRYPTION

  • Mobile app data encryption
  • Uses AES 256 and TLS 1.2 encryption
  • Data is encrypted in rest and in transit

REGULATORY COMPLIANCE

  • Swiss Data Protection Act
  • General Data Protection Regulation (GDPR)
  • Data Protection Agreement with customers
  • Contact our Data Protection Officer

HIGH AVAILABILITY

  • Reported on status.beekeeper.io
  • Contractually binding 99.9% availability

Meet our Data Protection Officer

Asset 2
Thumbnail

As Global Head of Risk & Compliance & Data Protection Officer for Beekeeper, Amir Ameri is an accomplished professional with more than 20 years of technical and leadership experience in Operational Risk Management. He specializes in Cybersecurity, Data Protection, and Privacy fields in Swiss and international financial and banking sectors. After completing his Ph.D. dissertation in developing a framework for managing technology risks, Amir completed his Master of Law to better position his understanding of the interaction between technology and legal and regulatory requirements.

Dr. Amir Ameri, Global Head of Risk & Compliance & Data Protection Officer, Beekeeper

Security FAQs

Does Beekeeper have Information Security & Data Protection specific policies, standards, or guidelines? 
Yes. Beekeeper has a Governance Model, derived from the ISO 27001 Control Objectives along with other resources.

_____________________________________________________________________________________________
 

Are owners of the documents assigned and is there a review process for maintaining the documents?
Yes. All policies have identified owners and an annual review process is part of the Risk Management process.

_____________________________________________________________________________________________
 

Does Beekeeper have an embedded Operational Risk Management Process for identifying / responding / reporting on risks?
Yes. The RM process and ownership is by Risk & Compliance. BERI (Beekeeper Risk Inventory) is the depository of all identified risks, along with mitigating measures and their status. Risk & Compliance has a weekly Risk Management meeting with Engineering and a bi-weekly meeting with Sales & Customer Success Managers to review BERI.

_____________________________________________________________________________________________
 

Are the technology measures recommended or required in the General Data Protection Regulation (GDPR) and the Swiss Data Protection Act used by Beekeeper in its strategy and implementation to protect the security of data and privacy of the person?
Yes. Beekeeper uses GDPR as the umberella for the data protection requirements on personal data. For our Swiss customers, the Swiss DPA is implemented should any deviations be required by the customers. Technical measures such as use of encryption technologies are standard and embedded in Beekeeper's product and service lines. Processes such as performance of Privacy Impact Assessments before release of any new product or service line is part of our product and service development lifecycle.

_____________________________________________________________________________________________
 

Does Beekeeper have a very granular Logging and Monitoring Policy which covers all details necessary for investigative purposes?
Yes. Beekeeper logging and monitoring is according to its Logging & Monitoring Policy, which is derived based on the requirements from the following sources:

  1. General Data Protection Regulation (GDPR)
  2. Swiss Data Protection Act
  3. Swiss Federal Act on Surveillance of Postal and Telecommunication Traffic
  4. U.S. National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information - Technology Systems
  5. U.S. National Institute of Standards and Technology (NIST) Special Publication 800-92, Guide to Computer Security Log Management
  6. IT Compliance Institute-Logging, Monitoring and Reporting
  7. ISO 27001-27002 Logging and Monitoring Control Objectives
  8. PCI Security Standards Council-Effective Daily Log Monitoring
  9. Beekeeper's Privacy Policy https://beekeeper.io/privacy-policy/.

Beekeeper logs the following parameters:

  1. Time & date stamp
  2. IP address details (client IP)
  3. User name & ID
  4. Type of access / activity attempted or performed (read/update/create/delete)
  5. Success or failure status of the event
  6. System or module
  7. Full URL accessed
  8. Interface details (web based, mobile client, etc.)
  9. Browser type

_____________________________________________________________________________________________
 

Does Beekeeper have an Incident Management Policy and supporting processes?
Yes. Beekeeper has defined and implemented an Incident Management Policy as a document, as well as the relevant processes according to Articles 33, 34 of the GDPR.

_____________________________________________________________________________________________
 

Does Beekeeper have a Change Management Policy and supporting processes?
Yes. Beekeeper has defined and implemented a Change Management Policy, as well as the relevant processes best on a Segregation of Duties principle according to various best practices including ITIL, ISO, and NIST resources.

_____________________________________________________________________________________________
 

Does Beekeeper have a Business Continuity / Disaster Recovery Policy that is tested?
Yes. Beekeeper has a complete Business Continuity and Disaster Recovery Policy defined and made available. Quarterly tests have been performed with various scenarios resulting in recovery requirements.

_____________________________________________________________________________________________
 

Does Beekeeper have Controlled Access to Production processes embedded for Beekeeper Support Personnel?
Yes. Beekeeper utilizes an Access to Production process request for all employee requests for provisioning of support. The Customer is provided with the Information Security Policy for Beekeeper Customer document, identifying all functions with access to production. Access to production is based on temporary issuance of certificates with a limited validity period. Beekeeper employees are subject to mandatory background checks, and access is limited  by the "need to know-need to have" principle. All access is based on 2 factor authentication.

_____________________________________________________________________________________________
 

Is Beekeeper employee access in accordance to the 4-eyes principle and "need to know-need to have" principle? 
Yes.

_____________________________________________________________________________________________
 

Are ALL Beekeeper systems operated in an ISO 27001 Certified Data Center?
Yes.

_____________________________________________________________________________________________
 

Has Beekeeper appointed a Data Protection Officer (DPO)?
Yes. Dr. Amir M. Ameri. ([email protected])

_____________________________________________________________________________________________
 

Does Beekeeper perform regular vulnerability and penetration testing of their products?
Yes. Beekeeper uses Qualys for regular vulnerability tests of the product code before release to production. Further, Beekeeper performs annual Full Penetration Testing by an external specialized Penetration Testing Company. Prospects and customers may receive a copy of the penetration testing report upon signing a Non Disclosure Agreement with Beekeeper. Further, Beekeeper contractually obligates itself to a Customer's Right to Audit. Customers who do perform their own tests do so on their own tenant only and agree to a full disclosure of their reports and findings with Beekeeper.

_____________________________________________________________________________________________
 

Do Beekeeper customers have a Right to Audit?
Yes. Contractually agreed as a standard practice with Beekeeper.

_____________________________________________________________________________________________
 

Does Beekeeper sign a Data Processing Agreement with their customers?
Yes.

_____________________________________________________________________________________________
 

Does Beekeeper have regular Training & Awareness sessions for their employees?
Yes. In accordance to GDPR requirements, Beekeeper has 2 mandatory annual Traning & Awareness sessions for ALL employees on the topic of Information Security and Data Protection & Privacy. Further, specialized topics are covered by employees' visiting internal and/or external training sessions. Beekeeper offers Bee University sessions as internal weekly or bi-weekly options for further training.

_____________________________________________________________________________________________
 

Does Beekeeper have a Data Retention & Deletion Policy and the necessary supporting processes?
Yes. A Data Retention & Deletion Policy exists. The Customer Success Manager appointed for each customer is the entry point for any requests. The Policy is according to GDPR and NIST resources and where applicable any special local or jurisdictional requirements. Beekeeper further contractually regulates these requirements with the customer, as defined in the Master Subscription Agreement.

_____________________________________________________________________________________________
 

Can we integrate our Identity Management solutions for Single Sign On or Active Directory with Beekeeper products and services?
Yes. Beekeeper uses SAML 2.0 for integration of Single Sign On and/or Active Directory solutions with the customer.

_____________________________________________________________________________________________
 

Does Beekeeper have solutions for Archiving of communication (Chats)?
Yes. Beekeeper provides access to Authenticated and Authorized Customers access to their Data for Archiving purposes based on the REST API. Please request a contact on this topic with Beekeeper's Data Protection Officer.

_____________________________________________________________________________________________
 

Does Beekeeper utilize relevant security techniques such as encryption?
Yes. According to our Security White Paper.

_____________________________________________________________________________________________
 

Does Beekeeper provide its customers Service Level Agreements for 99.9 % availability?
Yes. This may be observed by anyone on status.beekeeper.io. Customers may sign up with an email or mobile number to receive any service incident alerts on the same site.

_____________________________________________________________________________________________
 

Can we use our Mobile Device Management (MDM) for deployment of the Beekeeper apps?
Yes. Beekeeper mobile apps may be distributed via MDMs.