Bonterra understands the importance of data security and data privacy. We view maintaining the security and privacy of the data we store or that passes through our servers as critical to our mutual success. Therefore, we have carefully structured our system and chosen our partners to best ensure security and privacy of our clients’ data.
Security and Certification
Please find a glossary of terms at the bottom of this article.
Does Bonterra's infrastructure have any data center certifications?
The Bonterra Application is a Software as a Service (SaaS) offering that leverages an Infrastructure as a Service (IaaS) provider, Amazon Web Services (AWS). AWS is compliant with many industry security standards, including but not limited to ISO 27001 certification and Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard. You can read more about AWS's security protocols here.
Where is data on our users, contact, transactions, and other details stored?
All data, in primary and secondary databases (as well as data backups), are stored in US-based availability zones and regions within AWS data centers.
Does Bonterra operate in a shared environment?
Bonterra does not manage their own physical servers. Instead, we use an IaaS provider (AWS). Our AWS cluster is isolated from other customer clusters and is a self-contained environment. Unlike some cloud providers, no functionality is shared between virtual instances. Instead, customers own and operate their own instances, including full administrative access, much like a server that is racked in a data center.
How does Bonterra secure their application against security threats such as Cross Browser Scripting, Cross-site Request Forgery, SQL Injection, etc.
The Bonterra application is developed using industry best practices to minimize risks caused by attacks like those listed above. We regularly test against these attacks and keep up to date on all recommended security releases. External vulnerability scans are performed every quarter. Any identified vulnerability is mitigated promptly.
Does Bonterra require employees to review, be trained on, and agree to Security Policies?
All employees are trained and tested for security awareness on annual basis. New employees are trained and tested at the time of employment. All employees are required acknowledge Bonterra’s Information Security Policies.
Does Bonterra use any third parties (outside of its IaaS providers)?
Yes, Bonterra operates under the premise that organizations, whose primary function is to perform a certain action, will do it better than we ever could. So we leverage the experience, robustness, features, and security of industry leading providers. For example, we have partners for analytics (Google Analytics and Skylight), a MTA agent (Mandrill), and email builder (Bee). In each case, we research the organization to ensure it provides the level of service and security that our clients expect. Where we send information to outside providers, only the information required to perform the action by the provider is included. In most cases, data is made anonymous prior to sending.
Is a firewall used between the app/database servers and the internet?
Yes, we have multiple layers of defense implemented to ensure sufficient security. This include but not limited to peripheral firewall and web application firewalls.
How is administrative access to the system controlled?
Administrative access to client data within the Bonterra application is role based. The access control list is regularly reviewed to ensure Bonterra staff have access to only the minimum data required to perform their duties. Each admin user is uniquely identified in the system and must provide a user name and password to access the system. Password length minimum is 8 characters, uses Two Factor Authentication and adheres to industry best practices for strong password selection.
What data backup measures are in place in the case of a server crash or other incident causing loss of data?
Multiple level of system and database backups are performed every night. Backups are securely transferred to and stored at a separate cloud location for up to 30 days. System and data restored procedures are reviewed and tested regularly.
Glossary
AWS: Amazon Web Services (AWS) is a bundled remote computing service that provides cloud computing infrastructure (IaaS) over the Internet with storage, bandwidth and customized support for application programming interfaces (API).
EC2: Amazon Elastic Compute Cloud - A web service that provides resizable compute capacity in the cloud. Network for Good application, database, and utility servers run on EC2 provided instances.
IaaS: Infrastructure as a Service - A provisioning model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it.
MTA: Multimedia terminal adapter
SaaS: Software as a Service - is a software delivery model in which software and associated data are centrally hosted in the cloud.