BLUEFACTORY SECURITY CONTROLS
Introduction
Bluefactory was designed from the beginning with security in mind. The architecture implements a variety of security controls across multiple tiers to address a range of security risks. These security controls are subject to change; however, any changes will not materially decrease the overall security of the Services.
Bluefactory utilizes global Amazon Web Services (AWS) for its computing and storage needs. AWS is a top-tier facility with several accreditations, including SOC1 - SSAE-18, SOC2, SOC3, ISO 27001, and HIPAA.
Web-Application Security Controls
Access to the Bluefactory application is only via HTTPS (TLS 1.2) establishing the encryption of the session between the end-user and the application and between Bluefactory and Salesforce.
A Bluefactory account administrator can provision and de-provision additional Bluefactory users and associated access as necessary.
Role-based access control to manage multi-org permissions.
Bluefactory Audit trail is available to customer administrators, including username, action, timestamp, and source IP address fields. Bluefactory Audit trail logs can be viewed and exported by a customer administrator logged into the Bluefactory application as well as through an available API.
Access to the Bluefactory application can be restricted by source IP address.
OAuth 2.0 is used to obviate the need to store administrator credentials where practicable.
Multi-factor authentication for accessing Bluefactory application accounts utilizing time-based one-time passwords.
Encryption
Bluefactory uses FIPS 140-2 approved algorithms and key sizes of AES 256-bit encryption for encryption at rest. Additionally, Bluefactory uses Amazon Web Services (AWS) Elastic Block Store volumes encrypted using Linux Unified Key Setup, as well as hardened and encrypted S3 buckets encrypted using AWS Key Management Services (KMS) for storing backed-up data.
AWS KMS is used in Server-Side Encryption mode via Customer Managed Keys.
Traffic between Bluefactory and Salesforce APIs is over HTTPS utilizing TLS 1.2 and OAuth 2.0.
Network
Bluefactory uses Amazon's network controls to restrict egress and ingress network access.
Bluefactory uses multi-tier architecture including multiple and logically separated VPC
(Virtual Private Cloud) within AWS.
- VPC S3 Endpoint restrictions are used in each region and allow access only from the
respective VPC.
Monitoring and Auditing
Bluefactory systems and networks are monitored for security incidents, system health, network abnormalities, and availability.
Bluefactory collects application, network, user, and OS events to a centralized syslog server. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as necessary.
Bluefactory uses an intrusion detection system to monitor network activity and alert suspicious behavior.
Disaster Recovery
Bluefactory uses Amazon Web Services (AWS) S3 and AWS EBS for storing encrypted customer data.
For customer Data stored on AWS S3, Bluefactory uses object versioning with automatic aging together with bucket replication to a separate, highly restricted backup AWS account to support compliance with Bluefactory disaster recovery and backup policies.
Any necessary recovery of compute instances is achieved by rebuilding a new instance of the same type and configuration.
Bluefactory Disaster Recovery Plan is designed to support a 4-hour recovery time objective (RTO).
Vulnerability Management
Bluefactory performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to ensure application security controls are properly applied and operating effectively.
Vulnerability assessment results are incorporated into the Bluefactory software development lifecycle to remediate identified vulnerabilities. Specific vulnerabilities are entered into the Bluefactory internal ticket system for tracking through resolution.
Incident Response
- In the event of a potential security breach, the Bluefactory technical team will perform an assessment of the situation and develop appropriate mitigating strategies. If a potential breach is confirmed, Bluefactory will immediately act to mitigate the breach and preserve forensic evidence, and will notify impacted customers' primary points of contact without undue delay to brief them on the situation and provide resolution status updates.
Privacy and Data Protection
- Bluefactory provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation and California Consumer Privacy Act. Bluefactory also provides a Data Processing Addendum to address privacy and data protection laws, including legal requirements for international data transfers.
Cyber Liability Insurance
Bluefactory maintains, at minimum, cyber liability insurance with a limit of 500,000€ per event and 8,000,000€ aggregate, including primary and excess layers, and including cyber liability, technology, and professional services, technology products, data, and network security, breach response, regulatory defense, and penalties, cyber extortion, and data recovery liabilities.