Data Security

What security measures are in place for my data?

Purpose: To help you understand what security measures BambooHR has taken to protect your data so you can feel confident it is safe and secure.


Physical security

Physical Security

Our servers are located in state-of-the-art data centers that use biometric authentication, key card access controls, and constant video surveillance. Our data centers are in the US, EU, and Canada and have a Network Operations Center (NOC) staffed 24/7.

Data security and Privacy Shield certification

As of July 20, 2020, The Court of Justice of the European Union issued a judgment overturning Privacy Shield. To assist customers with GDPR compliance, we operate an EU data center located in Ireland to store your data. We also offer our Data Processor Agreement (DPA) in which we agree to comply with the requirements of processors under the GDPR, including an appropriate transfer mechanism in the Standard Contractual Clauses (SCCs) should it ever be necessary to move your data outside of the EU. For any additional questions or concerns, please contact Customer Support.


Network and application security

The following processes are in place to protect your data from unwanted third parties:

  • Application design: We have designed the system from the ground up with security in mind.  By applying best practices in web application security, we aim to prevent critical vulnerabilities.
  • SSL: We encrypt all customer information in transit using modern TLS.
  • Strong encryption: Sensitive information (social security numbers, driver license numbers, etc.) is encrypted in our database by using the Advanced Encryption Standard (AES).
  • Firewall: Our application, including our customers' data, sits behind appropriate firewalls.
  • Vulnerability scanning: We regularly undergo vulnerability scanning and penetration testing and maintain an active bug bounty program.
  • New browser login notifications: See details below.
New browser login notifications

When a user attempts to log in to an account through a new browser, the user of that account will receive an email notification about the login activity. The email will display the time zone and country of origin of the login attempt. This provides our users with an extra level of security.

If there is a security concern, there is an option to reset your password. Only the user of the account will receive the email notification, not their manager.

A modal will also appear after the user logs in to their account.The user can review the login details and confirm if they trust the browser being used. 

Clicking Yes, Trust this Browser will allow the user to successfully log in to their account, and they will no longer see this modal or receive email notifications for future login attempts with this browser.

If a user blocks or clears their cookies, they will receive the notification the next time they log in to their account. Users will not receive a notification if they log in through a third-party authentication tool or on the mobile app. 


Does BambooHR provide backups of my data?

All of your data is backed up nightly in at least two distinct availability zones. Backups are encrypted and transferred over TLS to protect the data in transit and at rest. The purpose of backing data up in this manner is to guard against unforeseen hardware issues (i.e., challenges with a particular server or an unexpected data center outage) and restore a full account with all data due to a similar issue as those mentioned above.  

Our developers may manually retrieve individual employee or field data (i.e., if someone in your company accidentally deletes some information within a specific field) on a case-by-case basis, but it may incur an additional cost.


How do I report a security concern?

If you have any concerns about the security of your data stored in BambooHR, please take the following steps: 

  1. Collect as much information about your security concern as possible. 
  2. Click on the question mark icon in the upper right-hand corner of the BambooHR app and select Submit a Support Request
  3. In the body of the request, please provide as much information as possible about your security concern, including whatever supporting evidence caused you to become concerned for your data. 
  4. The system will send your concern to our Support team initially. Depending on the severity of the issue, Support may send the concern to our Security team, who will then investigate to ensure that your data is secure. We will inform you of our investigative findings, along with any additional recommendations. 

GDPR compliance

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The new General Data Protection Regulation (GDPR) went into effect as of May 25, 2018.

Is BambooHR GDPR-compliant?

Yes! Our systems and processes are compliant with the General Data Protection Regulation. This means that BambooHR stands ready to support and assist its customers who have employees residing in the EU as they also meet their own obligations under the GDPR.

Click here to learn more about how BambooHR is compliant with GDPR and what you can personally do to protect your HR data.

Is BambooHR® Payroll (TRAXPayroll) GDPR-compliant?

GDPR only applies to organizations who provide goods or services to European Union (EU) residents. BambooHR Payroll (TRAXPayroll) is a U.S.-based company only and does not provide services to any EU-based employees. GDPR does not apply to BambooHR Payroll (TRAXPayroll).

BambooHR Payroll (TRAXPayroll) is always detailed in our Privacy Policy in simple and clear terms of how we collect, use, and protect your personal information. The Privacy Policy is also an integral part of our Terms and Conditions for all Payroll products.


Do I need to sign a Data Processing Agreement (DPA)?

You will need to sign a DPA (Data Processing Agreement) if the following applies to you:

  • You are a current BambooHR customer.
  • You have employees located in one of the current EU countries.

When getting started with your BambooHR account, the first Full Admin user or the Account Owner to log in will see the GDPR Compliance modal. This modal will show several options:

  • No, we don't: Selecting this will dismiss the DPA, and a record of the dismissal will appear in Settings > Account > Account Info. If you need to accept the DPA due to a change at your company, you can find a link to review the DPA in the Account Info section.
  • Yes, we do: Selecting this will prompt you to review and accept the DPA. A record of your acceptance will appear in Settings > Account > Account Info.
  • *Complete Later: Selecting this will dismiss this modal, but a notification will still remain in the What's Happening widget on Home until you have accepted or dismissed the DPA.

*Anyone can review our Data Processing Agreement on our BambooHR website. However, if you need a legal representative to review and accept the DPA, clicking Complete Later is the best option so that the appropriate user can log in and find the notification on Home to review and accept the DPA. Please note that the designated legal representative needs to be an admin-level user in the account to accept the agreement.

When there is a large enough update to the DPA,* the first Full Admin user or Account Owner to log in to BambooHR will receive an announcement alerting you of the update. You will be able to read through the full DPA and agree to it by checking the box and clicking Save. This will dismiss the announcement.

*You will only receive this alert if you have previously agreed to the DPA.

Frequently asked questions
  1. Have you been able to review the updated standard contractual clauses (SCCs) for the EU? What is BambooHR’s action?
  2. I am not in the EU or have any employees in the EU. Do I need to sign it?
    • We require all customers to select the answer that best suits their company’s situation in the DPA prompt the first Full Admin user or Account Owner receives when logging in to the account.
  3. I interpreted it wrong and retriggered the DPA acceptance in the account. How do we undo that?
    • If you retriggered it in Settings > Account > Account Info, you can re-select the answer that best aligns with your company’s situation. 
    • If you selected Yes, we do when it asks if you have employees in certain countries that require the DPA, please reach out to [email protected] to re-trigger the DPA acceptance. They will confirm when it is re-triggered. This will take you back to where you can select No, we don’t to best align with your company's situation.
  4. I have multiple accounts. Is there a way for me to agree to just one DPA for all of them?
    • Due to the nature of our DPA, there is no way to agree to the prompt/sign the DPA for all of your accounts at once. You will need to log in to each account and select the answer that best suits each company’s situation in the DPA prompt. The Account Owner or a Full Admin user can also go to Settings > Account > Account Info > Data Processing Agreement (DPA).
  5. I received an email stating I need to sign it but have multiple accounts. How do I know which one this is for?
    • Please reach out to [email protected] to confirm which account you have received the email for. You can also go to Settings > Account > Account Info > Data Processing Agreement (DPA) to check. If a user has reviewed the DPA, this section will state who responded to your account’s prompt and when. If no one has responded to the prompt, you can click Review the DPA. You will need to complete this process for each account you have with BambooHR.
  6. Can I sign it via e-signature?
    • Yes, please reach out to [email protected], and they will be happy to work with you and our Legal team on the process. 
      1. In order to initiate the process, we need to know (1) what company you are requesting the e-signature for and (2) the contact of who it should go to on your team, along with their email address, title, and phone number.
      2. We do require that this contact needs to be a Full Admin user or the Account Owner.
  7. I recently signed your DPA. Why am I getting this again?
    • We try not to take you away from your great work, and we rarely update our Data Processing Agreement (DPA), but with the updated Standard Contractual Clauses (SCCs) for the EU, we found it necessary to require this update. You, as a customer, are the data controller. Since we house the data, we are required to notify all customers of significant updates to our DPA; this includes reviewing and responding to the DPA prompt within individual BambooHR accounts. The DPA was last updated as of September 24, 2021, to address the updated SCCs—starting with Annex I within the DPA.
    • Any Full Admin user(s) or the Account Owner can review the prompt when signing in to your account, or they may also go to Settings > Account > Account Info > Data Processing Agreement (DPA) and click Review the DPA
  8. I previously declined the DPA, but now I need to accept it. How do I access it?
    • Go to Settings > Account > Account Info > Data Processing Agreement (DPA) and click Review the DPA. This will trigger a pop-up where you can accept our current Data Processing Agreement. Only Full Admin users and the Account Owner can click Review the DPA. Please ensure that only someone who is legally authorized to sign on behalf of your company accepts the DPA. 
    • If you do not see the Review the DPA option, that means someone at your organization has already accepted the DPA. In this section, you can see who accepted it and when the acceptance occurred.
Account Info

For further questions regarding the DPA, please reach out to [email protected].


Security profile

Running a secure operation starts with creating a secure application, but it also requires constant monitoring, improvement, and vigilance against internal and external threats. Want to see the complete report of our ongoing security measures for yourself?

We make it easy to validate the safety of your data with us by bringing together all the security documentation (reports, certificates, audits, and questionnaires) you are looking for in a single location—BambooHR Trust Center, powered by SafeBase. Click here to access our current security profile.


Mobile app security FAQ
  1. Is any data stored on the device?
    1. We store authentication information (no passwords), some user interface settings, and other internal-use information on the device. We also store images and files in temporary, OS-protected folders. In some cases, we store minimal directory information for transfer to the OS (caller id on iOS).
  2.  If data is stored on the device, is it encrypted?
    1. Yes, for all authentication, settings, and internal information. We store any unencrypted information in OS-protected folders, which means that it is unavailable outside the app (unless the device is jailbroken/rooted).
  3. If the device is lost or stolen, how is data removed?
    1. The user should reset their password. Doing this will NOT remove the app or its data from the device but will make the app unusable.
  4. Does the application have any opening security before login (i.e., PIN or biometric to prevent unauthorized access), or if the phone is left open, does the app prevent access with additional security before you can access it again? 
    1. The user can configure the application to use either a PIN or biometric login, depending on what the OS supports. The user is not required to configure either of these.

Subprocessors

For more information on subprocessors, click here.

Frequently asked questions

  1. Where do I find your list of subprocessors?
    • You can find the list online here.
  2. What due diligence have you done on these subprocessors, and how do I know that they are secure?
    • Our Security team has reviewed the security measures implemented by these subprocessors including any available third-party audits for their services. BambooHR has also entered into Data Processing Agreements (DPAs) with the subprocessors for the protection of the data.
  3. Will I be notified if any additional subprocessors are added to the list?
    • Yes, we will provide notification of any new subprocessors, as described in our DPA and Privacy Notice.
  4. What if I don’t agree with one of these subprocessors?
    • We would welcome any feedback you have on a subprocessor and would be happy to forward that feedback onto our Privacy team. BambooHR may choose to take additional action regarding that subprocessor or its use of their services, but ultimately, if you cannot agree to the use of one of these subprocessors, your option is to terminate your services with BambooHR. We hope though that the due diligence we have done and the contractual protections we have put in place with them will allow you to become comfortable with their services.

For more information on our security measures, click here.