This Security Policy describes the administrative, technical, and physical safeguards Beezifi Inc. ("Beezifi") employs to protect the confidentiality, integrity, and availability of Customer Data and the Beezifi GRC platform. This policy is provided for informational purposes. Beezifi does not warrant or guarantee that its security measures will prevent all unauthorized access, data loss, or security incidents. Customers remain responsible for their own security obligations, including credential management, user access reviews, and compliance with applicable laws.
1. Security Governance
Beezifi maintains a formal information security program aligned with industry best practices, including the NIST Cybersecurity Framework (CSF) and ISO/IEC 27001 principles. The program includes:
- Designated security ownership accountable for the security program
- Written information security policies reviewed and updated at least annually
- Risk assessments conducted at least annually and when significant changes occur
- Security awareness training for all personnel upon hire and annually thereafter
- Regular reviews of access rights, security controls, and third-party vendors
2. Infrastructure Security
The Beezifi GRC platform is hosted on Amazon Web Services (AWS), a cloud provider with extensive third-party certifications including SOC 2 Type II, ISO 27001, FedRAMP, and PCI DSS. Beezifi leverages the AWS Shared Responsibility Model:
- AWS is responsible for the security of the cloud (physical data centers, hardware, hypervisor)
- Beezifi is responsible for security in the cloud (OS hardening, network controls, application security, data protection)
Infrastructure is deployed in multiple AWS Availability Zones to provide fault tolerance and high availability. Production and non-production environments are strictly segregated.
Cloud ProviderAmazon Web Services (AWS)
RegionsUS-East, US-West (primary)
AvailabilityMulti-AZ deployment
AWS CertificationsSOC 2, ISO 27001, FedRAMP
3. Data Encryption
3.1 Encryption in Transit
All data transmitted between users and the Beezifi platform is encrypted using TLS 1.2 or higher. Older, insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) are disabled. HTTP traffic is redirected to HTTPS in production environments. Strict Transport Security (HSTS) headers are enforced.
3.2 Encryption at Rest
Customer Data stored in databases and file storage is encrypted at rest using AES-256, managed through AWS Key Management Service (KMS). Database backups are encrypted using the same standards. Encryption keys are rotated on a scheduled basis.
3.3 Key Management
Encryption keys are managed through AWS KMS with hardware security module (HSM) backing. Key access is restricted to authorized services only and is logged for audit purposes.
4. Access Control
4.1 Principle of Least Privilege
Access to production systems and Customer Data is granted on a least-privilege, need-to-know basis. Privileged access is reviewed quarterly and revoked promptly upon role change or termination.
4.2 Multi-Factor Authentication
Multi-factor authentication (MFA) is required for all Beezifi personnel accessing production systems, administrative consoles, and cloud infrastructure. Customers are strongly encouraged to enable MFA for all platform users.
4.3 Role-Based Access Control
The platform implements role-based access control (RBAC) with distinct roles (viewer, auditor, risk manager, compliance officer, admin, superadmin) to enforce access boundaries within each tenant.
4.4 Session Management
Sessions use short-lived, cryptographically signed access tokens. Refresh tokens are rotated on use and invalidated on logout or password change.
5. Network Security
- Production infrastructure is deployed within an AWS Virtual Private Cloud (VPC) with private subnets for application and database tiers
- Network Access Control Lists (NACLs) and security groups restrict inbound and outbound traffic to authorized sources and ports only
- Public-facing endpoints are protected by a Web Application Firewall (WAF) that blocks common attack patterns (OWASP Top 10)
- DDoS protection is provided through AWS Shield Standard
- Outbound internet access from backend services is controlled and monitored
- Inter-service communications are authenticated and encrypted
6. Application Security
- Secure development lifecycle (SDL) practices are integrated into engineering workflows, including threat modeling for significant features
- Code is reviewed by at least one additional engineer before merging to production branches
- Automated static analysis (SAST) and dependency vulnerability scanning are run on every build
- Secrets (API keys, credentials) are never committed to source control; secret management tools are used for injection at runtime
- Input validation and output encoding are applied throughout the application to prevent injection attacks (SQL injection, XSS, CSRF)
- HTTP security headers are enforced: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, HSTS
- API endpoints are rate-limited to mitigate brute-force and abuse
- Dependencies are monitored for known vulnerabilities using automated tooling; critical patches are applied within 72 hours
7. Vulnerability Management
Beezifi conducts ongoing vulnerability management activities:
- Automated vulnerability scanning of infrastructure and container images on a continuous basis
- Annual third-party penetration tests of the application and infrastructure
- Findings are risk-rated and remediated according to severity: Critical (24 hrs), High (7 days), Medium (30 days), Low (90 days)
- Penetration test executive summaries are available to Enterprise customers under NDA upon request
Customers who discover potential vulnerabilities are encouraged to report them through our responsible disclosure process (see Section 16).
8. Incident Response
Beezifi maintains a written Incident Response Plan (IRP) that covers detection, containment, eradication, recovery, and post-incident review. Key commitments:
- Security incidents are triaged within 4 hours of detection
- Customers will be notified of confirmed data breaches affecting their tenant within 72 hours of Beezifi's confirmation of the breach, to the extent required by applicable law
- Notifications will include the nature of the incident, data affected, steps taken, and recommended customer actions
- Incident response exercises are conducted at least annually
Beezifi's notification obligations do not substitute for Customer's independent breach notification obligations under applicable law (e.g., GDPR, HIPAA, state breach notification laws). Customer is solely responsible for notifying its own users and regulators as required.
9. Business Continuity and Disaster Recovery
- The platform is designed for high availability using multi-AZ deployment and load balancing
- Database backups are performed daily with point-in-time recovery (PITR) enabled; backups are retained for 30 days
- Recovery Time Objective (RTO): 4 hours; Recovery Point Objective (RPO): 1 hour (for Standard plan)
- Disaster recovery procedures are documented and tested at least annually
- Enterprise customers may arrange custom RTO/RPO commitments and dedicated recovery support
Business continuity and disaster recovery capabilities are provided on a best-effort basis. Beezifi does not guarantee specific uptime levels unless expressly stated in a written SLA agreement with Enterprise customers. The Services are provided without an implied uptime guarantee to Standard plan customers.
10. Sub-processor and Vendor Security
Beezifi engages third-party sub-processors to provide infrastructure and supporting services. All sub-processors are subject to:
- Security and privacy due diligence prior to onboarding
- Written data processing agreements (DPAs) restricting use of Customer Data
- Annual security reviews
A current list of sub-processors is available upon request by emailing security@beezifi.com. We notify customers of material sub-processor changes at least 30 days in advance.
11. Employee Security
- Background checks are conducted for all new employees prior to access to production systems
- All employees complete information security awareness training upon hire and annually
- Employees with access to Customer Data are subject to confidentiality obligations
- Access is revoked within 24 hours of employee termination or role change
- Acceptable use policies govern employee use of systems and data
12. Tenant Isolation
Each Customer's data is logically isolated using tenant-scoped identifiers enforced at the application and database layers. Row-level security policies ensure that queries can only return data belonging to the authenticated tenant. Tenant isolation is validated through automated testing on every deployment. Beezifi does not share, commingle, or cross-reference Customer Data between tenants.
13. Logging and Monitoring
- Application, infrastructure, and security events are logged to a centralized, tamper-resistant log management system
- Logs include authentication events, API access, administrative actions, and security alerts
- Logs are retained for a minimum of 12 months
- Automated alerting is configured for anomalous behavior, failed authentication attempts, and security events
- Beezifi's security team reviews alerts 24×7 through automated monitoring pipelines
14. Physical Security
Beezifi's Services are hosted in AWS data centers, which maintain SOC 2 Type II certified physical security controls including biometric access, 24×7 on-site security staff, CCTV surveillance, and environmental controls. Beezifi employees do not have physical access to data center hardware.
Beezifi's internal offices in Lacey, Washington are secured with access control systems and key-card entry. Visitors are escorted and logged. Sensitive printed materials are disposed of by cross-cut shredding.
15. Customer Responsibilities
Beezifi's security measures protect the platform layer. Customers are responsible for securing their own environment, including:
- Enabling and enforcing MFA for all Authorized Users
- Managing user access, including promptly deprovisioning departed employees
- Choosing and safeguarding strong, unique passwords and credentials
- Ensuring their devices and browsers accessing the platform are free from malware
- Reviewing and complying with their own regulatory and contractual security obligations
- Reporting suspected security incidents promptly to security@beezifi.com
- Exporting and maintaining independent backups of critical compliance data
Beezifi is not responsible for security incidents resulting from Customer's failure to fulfill these responsibilities, including but not limited to compromised credentials, unauthorized sharing of access, or insecure customer-side environments.
16. Responsible Disclosure
Beezifi welcomes reports from security researchers who discover potential vulnerabilities in our platform. To report a vulnerability:
- Email security@beezifi.com with a detailed description of the vulnerability, steps to reproduce, and potential impact
- Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
- Do not access, modify, or delete Customer Data; do not disrupt service availability
- Do not publicly disclose the vulnerability until Beezifi has had a reasonable time (at least 90 days) to investigate and remediate
We will acknowledge receipt within 5 business days, provide status updates, and recognize responsible reporters in our security acknowledgments (with permission). Beezifi does not pursue legal action against good-faith security researchers who comply with this policy.
This responsible disclosure policy does not constitute authorization for unauthorized access. Any testing must be conducted against your own tenant and must not affect other customers.
17. Limitations and Disclaimer
This Security Policy describes Beezifi's current security practices and is provided for informational purposes only. It does not constitute a warranty, guarantee, or contractual commitment regarding security outcomes. Security practices may evolve over time; this policy will be updated to reflect material changes.
No security program can guarantee complete protection against all threats. Beezifi's liability for security incidents is limited as set forth in the Terms of Service. Customers should conduct their own risk assessments and implement layered security controls appropriate for their regulatory obligations.
Beezifi is not responsible for security vulnerabilities introduced through third-party integrations configured or managed by the Customer, or for incidents arising from Customer's failure to fulfill the responsibilities described in Section 15.