Security FAQ

Purpose: This help guide will answer the most frequently asked questions we see from our customers about security.


Running a secure operation starts with creating a secure application, but it also requires constant monitoring, improvement, and vigilance against internal and external threats. Want to see the complete report of our ongoing security measures for yourself?

We make it easy to validate the safety of your data with us by bringing together all the security documentation you are looking for in our Trust Center, powered by SafeBase. Reports, certificates, audits, questionnaires—they are all here. Follow the link above to access our current security profile.


Does BambooHR complete client security questionnaires?

No. BambooHR does not complete and fill out security questionnaires on behalf of our customers. However, we invite our customers to sign and review our CAIQ and Sig Lite questionnaires, as well as our SOC II report that covers our security processes and procedures, among other things, to answer any questions they may have as it relates to security. 

As our customer base and partnerships have expanded greatly over the last few years, we cannot supply the resources to answer lengthy security audits for each interested party. We hope that using this common industry standard and a reputable third-party to audit our controls will give you the assurance you required to have confidence in our security controls.

Our Trust Center answers the most common security questions about third-party audits and certifications (e.g., SOC II report), internal policies, and industry-standard questionnaires. It also provides a list of resources, such as our Privacy PolicyTerms of Service, etc. You can request access to the Trust Center. In the top right corner, select Get Access. Then, enter your email address to receive a link to review our documentation. 


Where can I obtain a copy of the agreement (or contract) I signed with BambooHR?

BambooHR is a month-to-month subscription service with no long-term/signed contracts because we believe in earning your business each month. Acceptance of our Terms of Service is required in order to use BambooHR. Once you subscribe to BambooHR, you agree to our Terms of Service, and that acts as the service agreement while you use our services.

If you have accepted our Data Processing Agreement (DPA), you can review when the DPA was accepted under Settings > Account > Account Info in BambooHR. To find additional information about our DPA, please refer to the BambooHR DPA webpage or our Trust Center.


I would like to know more information about your most recent penetration test findings.

The penetration test describes how many high, medium, and low findings were reported. Unfortunately, we cannot give external parties any more information, such as the type or details of the findings, given the sensitive nature of that information and our commitment to protect the data of our customers and our systems.

We also have an active bug bounty program through HackerOne. This allows skilled security researchers to access a non-production instance of our software and thoroughly test it in exchange for compensation. It has been very successful in improving the security of our product on an ongoing basis, where external vulnerability tests occur only annually. If you would like to test our program yourself, please request an invitation to participate in this program. Any other attempt at conducting any kind of penetration test directly against BambooHR would be in violation our Terms of Service and is grounds for termination of service. 

Two to four weeks is an appropriate time frame for high and critical findings, but medium and low findings are often given a longer resolution time window. We can assure you that we take security findings very seriously and prioritize them accordingly.


Can you please explain to me your Data Loss Prevention (DLP)?

We have contracted with Netskope, who is a leader in the DLP space and are deploying their service to protect all systems at BambooHR.


Does BambooHR use any internally-created cryptography?

We use industry-standard encryption for both data at rest and in transit. We do not use any internally-developed methods or algorithms for encryption.


Does BambooHR provide information about previous breaches, and how are customers told when breaches happen?

We notify affected customers about security incidents in accordance with the law applicable to data affected by any security incident. You can find further information in our Terms of Service (see Section 10.1 of Security Breach). You can also find additional information in our Privacy Policy.


Does BambooHR have any information regarding third-party vendors or additional supply chain assurance?

We have a process in place for third-party vendor management with SafeBase, who also serves out important security documents to our customers who are evaluating our security. We closely monitor security incidents such as the incident at Solarwinds, which we were unaffected by, so that we can quickly and appropriately respond to supply chain attacks.


Does BambooHR have any other multifactor authentication (MFA) plans?

Beyond our two-factor authentication and SSO/SAML options, we do not have any current plans announced for increasing our MFA options.


What are your password requirements?

When creating or changing a password, here are the requirements.


Can I know more information about where BambooHR stores our data?

BambooHR currently has three data centers:

1. United States
2. European Union (located in Ireland)
3. Canada

Each data center has a backup located in the same country. None of your data is mirrored or stored elsewhere. Each center has a Network Operations Center (NOC) staffed 24/7. Payroll services—Payroll (US-only) uses Google Cloud.

We automatically add all customers located in the EU to this data center. However, other companies can request to have their accounts and data moved to this data center or one of our others in the US or Canada by reaching out to a support hero.


Would customer data in the EU data center be accessed, stored, or transmitted outside of the EU (e.g., in the event of support/helpdesk)?

If you have GDPR obligations, we have a data center in Ireland and have no plans to move your data from the EU data center but reserve the right to if necessary under our DPA while still committing to protect your data as required by the GDPR (the revised SCCs are incorporated into our DPA). At this point, we could only anticipate needing to move it to one of our other data centers if there was an issue with the EU data center and we need to move the data to protect and preserve it or to service your account. Keep in mind that we are authorized to use subcontractors under the DPA. Please see our list of subcontractors here.


How does BambooHR store credit card information?

We do not store credit card information directly for the processing of payments for our services but rather use a vendor that is PCI-compliant. We may, however, store the last four digits, and it is encrypted. Customers use a secure link when they need to add or update credit card information.


Is BambooHR FIPPA-compliant?

We are not FIPPA-compliant as it is something that does not apply to us as a private entity. If you are wondering about the security obligations based on the FIPPA privacy law, we recommend you review our SOC II report to decide if it serves your purposes or not.


Is BambooHR HIPAA-compliant?

BambooHR does not believe that it is a business associate under HIPAA and that HIPAA applies to its services. You would be a business associate and subject to HIPAA if you receive Protected Health Information ("PHI") from a covered entity under HIPAA and provide services to that covered entity using the PHI. PHI is personally identifiable information about a person's past, present, or future health status that is used in the provision of healthcare, paying for healthcare, or healthcare operations. A covered entity is a health plan, a health plan clearinghouse, or a health care provider.

BambooHR does not request any PHI from customers, and such information is not necessary to use our services. We do not assist in the provisioning or paying of healthcare for our customers or their employees; customers simply keep and track employment files in our services. Additionally, the definition of PHI under HIPAA excludes individually identifiable health information in employment records held by a covered entity in its role as an employer. 


What is the insurance for cyber liability?

While we do maintain insurance as any prudent business would, we deem it confidential, and we do not share it with third parties. Our insurance has no bearing on whether we are responsible or liable for a data breach as that is governed by our Terms of Service.

Under our Terms of Service, we agree to have reasonable security measures to protect your data. If we fail in that regard due to our gross negligence or willful misconduct and a data breach occurs, then we are not limiting our liability. But as we say in our privacy policy, no transmission or method of storage over the internet is ever 100% secure. Therefore, we cannot guarantee the security of your data. If a data breach occurs in a circumstance other than the one described above (like if it occurs because of something your company did or even despite BambooHR having deployed reasonable security measures), that is still the responsibility of your company as the owner of the data. Our invitation to all of our customers is to become familiar with our security measures and decide if they are comfortable using our services. You can review our security documentation in our Trust Center, which contains things like our SOC II audit, an attestation of penetration testing, industry questionnaires, etc., so that you may review those measures.

As an additional resource, you can also review our Terms of Service and Privacy Policy here.