boberdoo badges

OUR GUIDING PRINCIPLES

  • We believe that data is a valuable asset and should be protected accordingly for confidentiality, integrity and availability of the data under our care.
  • We embrace best practices, industry standards and evolving regulations because we believe they make us, and our industry, better.
  • We adapt our business to meet and exceed the security and privacy expectations of our clients and partners.
  • We promote security awareness and transparency among our employees, consumers and industry partners.
  • We pursue continuous improvement in security and privacy practices to protect our employees, clients and consumers against evolving threats.
  • We encourage and enable clients to implement robust data retention and deletion policies because we believe that lead companies should retain data only as long as required to provide the requested service to consenting consumers - not forever.


    SecurityMetrics PCI validation certification logo

    boberdoo conducts a self-assessment against the MVSP (Minimum Viable Secure Product) checklist at least annually using the Assumed Secure app.

    Minimum Viable Secure Product (MVSP) is a list of essential application security controls that should be implemented in enterprise-ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services. MVSP is based on the experience of contributors in enterprise application security and has been built with contributions from a range of companies.

    View our MVSP self-assessment report

    INFORMATION SECURITY PROGRAM OVERVIEW

    boberdoo.com LLC has developed and maintains a comprehensive information security program committed to protecting the confidentiality, integrity and availability of boberdoo systems and data. We strive to provide assurance of compliance with our internal policies, internationally recognized best practices and external regulatory requirements.

Key Components of our information security program include:

CIA Pie
  • Our Guiding Principles
  • Framework (based on NIST CSF)
  • Security Organization
  • Trusted Security Partners
  • Policies, Procedures and Standards
  • Risk Management Practices
  • Security Awareness Training
  • Network Protection
  • Technical Security Controls
  • Access Management
  • Vulnerability Management
  • Logging and Monitoring
  • Incident Response
  • Disaster Recovery
  • Application Security (Lead System Security Features)

    SECURITY & COMPLIANCE FRAMEWORK
RIPDR
We have adopted the NIST Cybersecurity Framework, which is a voluntary framework consisting of standards, guidelines, and best practices to manage information security risk. Our framework helps to guide us in protecting the confidentiality, integrity and availability of boberdoo infrastructure, systems, applications and data. Our policies, procedures and standards follow best practices and controls derived from NIST, ISO 27001, CIS-AWS Benchmarks, CIS Critical Security Controls, HIPAA, PCI DSS, GDPR and other industry standards and regulations.

IDENTIFY


SECURITY ORGANIZATION

The Information Security program is organized around and developed by our Chief Information Security Officer (CISO) and supported by company ownership/leadership and operational subject matter experts. boberdoo personnel maintain industry-recognized certifications including Certified Information Systems Security Professional (CISSP), ITIL, AWS certifications and others.

TRUSTED SECURITY PARTNERS

boberdoo partners with external service providers to enhance and support our security program.  We have retained a certified AWS partner, Trek10, to monitor our infrastructure 24/7 for system availability, performance and security compliance.  We work with nationally recognized security services firms to conduct vulnerability assessments, penetration testing and web application testing annually.  In addition to our annual tests and regular internal scanning, quarterly compliance scanning is conducted by SecurityMetrics to support us in best practices and compliance mandates. All systems are developed and hosted on Amazon Web Services’ SOC 2 & ISO 27001 compliant infrastructure.

POLICIES, PROCEDURES AND STANDARDS

boberdoo has developed policies and procedures and adopted standards intended to support our compliance with internationally recognized best practices and regulatory requirements. Our information security policies address network protection, systems monitoring & logging, endpoint protection, mobile device security, vulnerability management, patch management, access & audit, awareness, physical security, personnel security, acceptable use, third party management, disaster recovery, data protection and secure data management. Policies are reviewed annually.

RISK MANAGEMENT

boberdoo conducts formal information security risk assessments annually and as necessary when system or application changes result in changes to our risk exposure. The risk assessment evaluates the current threat landscape and identifies information security risks in our environment and their potential impact to our business and customer data.  Findings are discussed with stakeholders and we formulate a strategy and plans for risk treatment based on the assessment outcomes, risks identified and external compliance requirements.


PROTECT


SECURITY AWARENESS TRAINING

Security awareness is a foundational aspect of the boberdoo security program.  Awareness training is delivered to all employees annually and when first onboarded to the company.  Continuous awareness is also provided via a variety of communications channels throughout the year.  Employees are required to complete a training acknowledgment and test to validate their understanding of common security and privacy-related topics.

NETWORK PROTECTION

boberdoo systems are built for the cloud.  Our platform is hosted on Amazon Web Services (AWS). As such, clients benefit from the many certifications achieved by AWS.  To learn more, please visit the AWS Compliance Program site for information on applicable certifications. Our infrastructure is developed and deployed according to best practices and monitored for compliance with CIS-AWS benchmarks.  Furthermore, our infrastructure is monitored and supported by a leading AWS-managed security services partner to add an additional layer of oversight and assurance.

TECHNICAL SECURITY CONTROLS

boberdoo’s web application firewall protects your data against common web attacks including the OWASP Top 10. We monitor for malicious activity using intrusion detection systems and have capabilities for DDoS prevention to ensure the high availability of systems.  Other security controls include:

  • Logical access controls
  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Multi-factor authentication
  • Review of third-party supplier security practices
  • Access reviews and audits
  • Continuous system patching and application updates
  • Disaster recovery planning and testing

ACCESS MANAGEMENT

All access at boberdoo must be requested, approved and authorized according to a user’s roles & responsibilities and we adhere to the principle of least privilege. Passwords, access keys and role-based authentication mechanisms are used to authenticate users and services. Multi-factor authentication is required to access infrastructure systems. Access is promptly removed when a user is terminated and adjusted based on changing roles & responsibilities. All access and privileged actions are monitored and logged. 


DETECT


VULNERABILITY MANAGEMENT

boberdoo contracts with external vendors to conduct vulnerability scanning and penetration testing annually. Industry-standard tools are used to identify and analyze vulnerabilities, audit system configurations and monitor compliance. Internal vulnerability scanning of critical infrastructure is performed on a monthly basis and integrated with our development process.  Vulnerabilities are logged and remediated according to severity.  It is our goal to never release a system update with a critical vulnerability and to promptly fix vulnerabilities when they are identified in existing systems.

LOGGING AND MONITORING

boberdoo maintains a robust centralized logging environment. Logging is enabled in order to establish an audit trail for all system access. Logging is performed at the application level as well. Audit trails are implemented and secured to prevent unauthorized access.  All infrastructure is monitored in real-time and alerts on availability, performance and security-related anomalies. Logs are retained for at least 12 months.


RESPOND


INCIDENT RESPONSE

boberdoo maintains an incident response policy and procedures to ensure security events are promptly identified, investigated, contained, remediated, and reported internally and externally, as necessary when customer and regulatory notifications are required. Our process defines roles & responsibilities, the severity of the incident, notification procedures, and remediation steps. All security events are logged and assessed upon identification. In the event of an incident, we will notify impacted customers in a timely manner of any security incident or breach that impacts your data. 

To report a security incident, please contact security@boberdoo.com.


RECOVER


DISASTER RECOVERY

Data is replicated to multiple availability zones to support the high availability of systems and data. Critical business applications and systems are recoverable via failover to alternate regions in the event of a disaster. Disaster recovery procedures are documented and tested.


BOBERDOO SYSTEM & PLATFORM


LEAD SYSTEM SECURITY

boberdoo has developed a lead system security and data management suite that allows you to build and implement a complete automated data security and retention strategy. Lead system security features include:

  • Two-factor authentication set at the user level for logins to the boberdoo system
  • Sensitive data encryption with access via Secure Mode
  • Individual field cleanup and full lead deletion rules
  • Automated and bulk secure export to store encrypted data in your Amazon Web Services account
  • Real-Time PII Field Cleanup
  • Real-Time Email & Phone Hashing
  • 365 Day Lead Deletion (maximum allowed retention)
  • Learn more about Lead System Security

Learn More