No. BambooHR does not complete and fill out security questionnaires on behalf of our customers. However, we invite our customers to sign and review our CAIQ and Sig Lite questionnaires, as well as our SOC II report that covers our security processes and procedures, among other things, to answer any questions they may have as it relates to security. 

As our customer base and partnerships have expanded greatly over the last few years, we cannot supply the resources to answer lengthy security audits for each interested party. We hope that using this common industry standard and a reputable third-party to audit our controls will give you the assurance you required to have confidence in our security controls.

Our Trust Center answers the most common security questions about third-party audits and certifications (e.g., SOC II report), internal policies, and industry-standard questionnaires. It also provides a list of resources, such as our Privacy Policy, Terms of Service, etc. You can request access to the Trust Center. In the top right corner, select Get Access. Then, enter your email address to receive a link to review our documentation. 

The penetration test describes how many high, medium, and low findings were reported. Unfortunately, we cannot give external parties any more information, such as the type or details of the findings, given the sensitive nature of that information and our commitment to protect the data of our customers and our systems.

We also have an active bug bounty program through HackerOne. This allows skilled security researchers to access a non-production instance of our software and thoroughly test it in exchange for compensation. It has been very successful in improving the security of our product on an ongoing basis, where external vulnerability tests occur only annually. If you would like to test our program yourself, please request an invitation to participate in this program. Any other attempt at conducting any kind of penetration test directly against BambooHR would be in violation our Terms of Service and is grounds for termination of service. 

Two to four weeks is an appropriate time frame for high and critical findings, but medium and low findings are often given a longer resolution time window. We can assure you that we take security findings very seriously and prioritize them accordingly.

We have contracted with Netskope, who is a leader in the DLP space and are deploying their service to protect all systems at BambooHR.

We use industry-standard encryption for both data at rest and in transit. We do not use any internally-developed methods or algorithms for encryption.

We notify affected customers about security incidents in accordance with the law applicable to data affected by any security incident. You can find further information in our Terms of Service (see Section 10.1 of Security Breach). You can also find additional information in our Privacy Policy.

We have a process in place for third-party vendor management with SafeBase, who also serves out important security documents to our customers who are evaluating our security. We closely monitor security incidents such as the incident at Solarwinds, which we were unaffected by, so that we can quickly and appropriately respond to supply chain attacks.

Beyond our two-factor authentication and SSO/SAML options, we do not have any current plans announced for increasing our MFA options.

When creating or changing a password, here are the requirements.

BambooHR currently has three data centers:

1. United States
2. European Union (located in Ireland)
3. Canada

Each data center has a backup located in the same country. None of your data is mirrored or stored elsewhere. Each center has a Network Operations Center (NOC) staffed 24/7. Payroll services—Payroll (US-only) uses Google Cloud.

We automatically add all customers located in the EU to this data center. However, other companies can request to have their accounts and data moved to this data center or one of our others in the US or Canada by reaching out to a support hero.

If you have GDPR obligations, we have a data center in Ireland and have no plans to move your data from the EU data center but reserve the right to if necessary under our DPA while still committing to protect your data as required by the GDPR (the revised SCCs are incorporated into our DPA). At this point, we could only anticipate needing to move it to one of our other data centers if there was an issue with the EU data center and we need to move the data to protect and preserve it or to service your account. Keep in mind that we are authorized to use subcontractors under the DPA. Please see our list of subcontractors here.

We do not store credit card information directly for the processing of payments for our services but rather use a vendor that is PCI-compliant. We may, however, store the last four digits, and it is encrypted. Customers use a secure link when they need to add or update credit card information.

We are not FIPPA-compliant as it is something that does not apply to us as a private entity. If you are wondering about the security obligations based on the FIPPA privacy law, we recommend you review our SOC II report to decide if it serves your purposes or not.

BambooHR does not believe that it is a business associate under HIPAA and that HIPAA applies to its services. You would be a business associate and subject to HIPAA if you receive Protected Health Information ("PHI") from a covered entity under HIPAA and provide services to that covered entity using the PHI. PHI is personally identifiable information about a person's past, present, or future health status that is used in the provision of healthcare, paying for healthcare, or healthcare operations. A covered entity is a health plan, a health plan clearinghouse, or a health care provider.

BambooHR does not request any PHI from customers, and such information is not necessary to use our services. We do not assist in the provisioning or paying of healthcare for our customers or their employees; customers simply keep and track employment files in our services. Additionally, the definition of PHI under HIPAA excludes individually identifiable health information in employment records held by a covered entity in its role as an employer. 

While we do maintain insurance as any prudent business would, we deem it confidential, and we do not share it with third parties. Our insurance has no bearing on whether we are responsible or liable for a data breach as that is governed by our Terms of Service.

Under our Terms of Service, we agree to have reasonable security measures to protect your data. If we fail in that regard due to our gross negligence or willful misconduct and a data breach occurs, then we are not limiting our liability. But as we say in our privacy policy, no transmission or method of storage over the internet is ever 100% secure. Therefore, we cannot guarantee the security of your data. If a data breach occurs in a circumstance other than the one described above (like if it occurs because of something your company did or even despite BambooHR having deployed reasonable security measures), that is still the responsibility of your company as the owner of the data. Our invitation to all of our customers is to become familiar with our security measures and decide if they are comfortable using our services. You can review our security documentation in our Trust Center, which contains things like our SOC II audit, an attestation of penetration testing, industry questionnaires, etc., so that you may review those measures.

As an additional resource, you can also review our Terms of Service and Privacy Policy here.