top of page

Security

Enjoy more efficient collaboration with industry-standard data protection for you & your stakeholders
Last Updated 25 June 2024

At Beep Productivity Inc. (also referred to in this page as "Beep", "we", "us" and "our"), the security of our customers' data is important to us. As such, we're committed to providing a fully secure means for our customers to collaborate online through implementing best-in-class security tools and practices to maintain the highest level of security systems. For your information, we have outlined the main aspects of our security practices below.

GDPR Compliance

We have built our software's architecture and implemented organizational security measures with privacy by design (PbD) in accordance with not only the EU's GDPR (General Data Protection Regulations) but also with regulations existing in the major markets we do business in, such as the USA.

 

To give our valued users the peace of mind they need while using our software, we are in the process of obtaining certification from third-party data privacy auditors. Any updates will be reported here and any related pages on our website.

Beep Productivity Inc., a Delaware corporation, is also registered as Beep Productivity ÖU which is based in Tallinn, Estonia (EU). Here are the key measures we have taken to become GDPR compliant:

  • We have made a Data Processing Agreement available for our users (in accordance with GDPR Art. 28).

  • We only collect the data that is needed, and no more. As well as use the data only for the purposes agreed upon with users. This benefits both users (the data subjects) and your organization.

  • Our data (including those users consent to share with us) is shared only with GDPR-compliant service providers. You can see our list of sub-processors here.

  • We have created and made accessible a Privacy Policy that communicates what data we collect, how data is used, who has access to your data, how it is stored/protected, and also outlines your data protection rights in accordance with GDPR guidelines.

  • Data is kept in a form that identifies users only for as long as is necessary and we discard the data when it’s no longer useful.

  • In accordance with GDPR Art. 32, we encrypt all data in both transit and at rest. Data is also stored in Europe (more information is available in the "Infrastructure Security" & "Data Encryption" sections below).

Infrastructure Security

Following privacy by design, Beep's feedback platform is built on reliable, fast and secure architecture. We are using a multi-tier infrastructure with security gateways. Services, like data storage and more, can only be accessed by an application that requires access specifically for that service and only by personnel with certain authorization levels. Access information is securely stored outside our codebase and our data.

Data Storage & Hosting

Beeps uses the European Amazon Web Services (AWS) as our datacenter to host and manage our software. User media files such as screenshots, screen-recordings and files are only accessible via our configured Virtual Private Cloud (AWS VPC). Continuously audited, AWS is certified with:

 

  • SOC 1/SSAE16/ISAE3402; SOC 2; SOC 3

  • ISO 9001; ISO 27001

  • FedRAMP

  • DoD SRG

  • PCI DSS Level 1

You can read more about AWS security here.

User data and comments are stored separately and only accessible via MongoDB Atlas, a cloud database certified with:

  • SOC 2

  • ISO 9001; ISO 27001; ISO 27017; ISO 27018

  • CSA Star Level 2

  • PCI DSS

  • TISAX

  • HDS

  • TX-RAMP

You can read more about MongoDB Atlas security here.

To ensure as much data is stored within the EU as possible, we use Amazon's hosting located in Ireland (eu-west-1) which is both a top-tier region with 24/7 operations and enterprise-grade security, and also a low-carbon emission center.

Browser Extension

Our browser extension is distributed via Google's Chrome Web Store.

In compliance with Google's GDPR and CCPA regulations, we are required to encrypt the transmissions of all personal or sensitive user data and display a Privacy Policy that lists all the types of data we collect and how it is used, shared and stored.

Only a limited amount of data is being shared with Google. According to the Google Chrome Web Store Agreement, they "may [collect] certain usage statistics from the Web Store and user machines, devices, or other hardware, including information on how the Web Store and Products are being used." to "continually innovate and improve the Web Store".

Routine Audits & Vulnerability Checks
We audit and test our system using penetration tests on a routine bases (annually, at minimum) audited with the aim of uncovering any vulnerabilities. Additionally, we employ certain security tools to check for vulnerabilities in our code and watch-guard for potential risks. Every identified risk is reported, classified, and promptly fixed and patched. Only Enterprise plan customers have the ability to request for audited penetration tests.

We endeavor to prevent SQL injections, XSS vulnerabilities, and other common issues. 

Redundant services and failover
We have designed and built our services for failover. In the event that a service fails, we always have redundant services as replacements to assume the job. Thus, we are able to provide our customers a service that is consistent and reliable. Our services are distributed throughout AWS availability zones.

To efficiently recover from any database failure, we synchronously replicate all databases. Regular snapshots of the database are taken and securely moved to a separate data center as an extra precaution. This way, we can restore them elsewhere if necessary or in the event of a regional data center failure.

Limited Authorized Access & Extra Protection Measures
Our systems, servers, and networks are protected and limited to our internal network. Only authorized personnel with a profound background check have access to our server infrastructure. The access to our data centers is secured through VPN and 2-factor authentication.

Organisational Security
Payment Security

Adequate Data Privacy Training

At Beep, all personnel involved in data processing have committed themselves to confidentiality and are instructed regarding confidentiality accordingly.

 

Data Access Authorization Levels

We have assigned each of our personnel a respective level of access that limits the data they can access or process. These varying levels are designed to limit each respective personnel's access to what is strictly necessary to fulfil their role (also known as the "principle of least privilege"). All access is also immediately withdrawn upon termination of their employment.

 

Active Monitoring & Maintenance

Furthermore, we continuously maintain and monitor notifications, errors, logs and alerts on our services to identify and manage threats. Comprehensive security measures prohibit unauthorized access to data processing equipment.

We use Stripe as a payment partner to process and store our customers' payment details. We never directly handle payments nor have access to customers' payment details.

Stripe is a certified payment processor holding a Level 1 PCI Service Provider which is the most stringent level of certification available in the payments industry.

You can read more about security at Stripe here.

Data Encryption
User responsibilities

Beep protects data in transit via encrypted data channels HTTPS/SSL (Hyper Text Transfer Protocol Secure/Secure Socket Layer) protocol. Data integrity is ensured by mirroring all data in two separate locations. Access to our REST API can only be obtained via SSL.

Data at rest is encrypted using AES-256, a virtually impenetrable encryption algorithm.

User Security

Password Security
Any passwords used to register and login to Beep are stored in an irreversible cryptographic hash. As such, Beep does not have access and cannot retrieve any user password.

Login Security
‍Aside from accessing Beep via the standard method of email and password, Beep also offers users access to Beep via Google oAuth.

Permissions and roles
‍Users can have different roles with different permissions within our system. Team admins (i.e., those who created a team) possess full access to Beep's features (limited only to what is included in their chosen subscription plan). Team members can access and manage shared or team projects and/or feedback. Other users and guests are allowed to share & receive feedback, and can reply to feedback.

Keeping user data safe also depends on users themselves ensuring that they each preserve the security of their accounts, systems and personal information. Users are encouraged to use sufficiently complicated passwords and store them safely. If using a Google account to login, users are encouraged to also ensure they set up advanced protection measures such as 2FA.

 

Furthermore, users should not use Beep in any way that compromises PII (personally identifiable information) or breaches data laws. Depending on the severity of the case, violators may be automatically banned and blacklisted from using Beep.

More details on this can be found in our End User SaaS Agreement (EUSA) which applies to all subscriptions.

Changes to this Security Policy
Privacy Policy

You can find more information on the data we collect and how we do it in our Privacy Policy.

Beep Productivity Inc. reserves the right to change this Security Statement at any time. If we decide to change it, we will post these changes on this page so that you are always aware of how we ensure the security of your data. All changes are effective immediately upon posting.

Have a Security Question for Beep?

If you have any questions about our data security or notice a security issue, please reach out to us via this contact form. Please note, Beep does not offer a bug bounty program.

bottom of page