Blissbook's protection of your data starts with a classification system. We classify the different types of data that we store across three categories (Customer Data, Customer User Data, and Internal Data), document the required protection levels for each type of data, and take precautions to ensure each type of data is protected as prescribed by the protection levels. Employees are trained regularly on this topic to ensure confidential data is not stored, shared, or transmitted without the proper protections in place.
Protections include, but are not limited to:
SHA-256 RSA Encryption: At rest and in transit, both within our infrastructure and across the web, API, and SFTP endpoints.
Access Control: Within our infrastructure, we follow the principles of least privilege to grant access to PII to specific staff members who have signed confidentiality agreements and passed appropriate background checks. Customer Admins may also grant varying levels of access to their teammates within their Blissbook account based on different roles.
Anonymization: Blissbook users are anonymized to a unique user ID, which is what's stored in our logs and databases.
Authentication: We have strict controls in place to ensure staff members and customer admin users authenticate themselves before accessing sensitive or highly sensitive information.
Logs & Monitoring: We keep a one year history of system activity and regularly monitor it for anomalies.
Backups: Blissbook's data is backed up daily to multiple off-site locations. Backups are kept for 30 days and we regularly test restoring data from backup systems.
Data Retention: We regularly delete unused or unnecessary customer data to limit exposure risk.
Staffing: All employees and contractors with access to customer or confidential data must pass a background check and sign an NDA or confidentiality agreement.
Training: Staff undergoes annual training on various information security topics to ensure customer data is handled safely and securely.
Third-Party Oversight: Blissbook has completed a SOC 2 Type I audit and is currently undergoing a SOC 2 Type II audit that we expect to be completed in Q1 2025. We undergo third-party penetration testing at least every 18 months, and we also audit all third-party processors to ensure they meet our standards for keeping customer data safe.
Compliance: Blissbook complies with the latest GDPR, CCPA, and Data Privacy Framework regulations.
If you have further questions, please contact our support team. We are happy to share more details about our IT infrastructure and how we keep your confidential information safe and secure.
If you've discovered a security issue with Blissbook, please report it to our security team immediately.