Security
We know you’re trusting BambooHR with your data, and we take that responsibility very seriously. That’s why we practice Defense in Depth, a principle focusing on multiple layers of security controls, as well as Zero Trust, a security model developed by industry leaders to secure resources at the system level rather than focusing on perimeter defense. We keep your data locked down at every level, and we take multiple measures to ensure it stays that way. Here are just some of the measures we take to prevent data leaks and unauthorized data access:
- Active bug bounty program.
- Frequent vulnerability scans.
- Web application firewall.
- Annual third-party SOC II security audit.
- Input validation.
- Annual third-party penetration test.
- Continuous security management and monitoring.
- Strongest industry standard encryption.
- Native Multi-Factor Authentication available to all BambooHR customers.
We understand that security is more than just creating a secure application—it involves monitoring, improving, and remaining vigilant against risks both internal and external.
We can provide additional information, including compliance reports and attestation letters, upon request.
Our customers’ data is hosted in the United States, Canada, or Ireland, depending on the location and needs of individual customers and applicable laws. All information is encrypted in transfer, and certain sensitive fields are encrypted at rest. In addition, the data center located in Ireland meets all of the data requirements of the European Union, European Economic Area, Switzerland, and the United Kingdom.
Privacy
BambooHR does not sell, share, or trade any customer data—period. Your information and your company’s information is not for sale, and never will be. Access to customer data is restricted to individuals who require that information to fulfill their job duties. All employees are subject to background checks before hiring, and we only hire individuals of the highest integrity.
