Security controls

This guide introduces you to the security features available in Bloomreach and explains how core and enterprise security are structured. It also covers the key security management processes that protect your infrastructure and customer data.

Security features

Bloomreach provides a comprehensive set of security features to keep your customer data safe:

• Audit log
• Site-to-site VPN
• Bloomreach Engagement single sign-on
• Captcha
• DDoS protection
• SSH tunnels
• Integration protection
• Logging
• Access controls

Core security

Bloomreach delivers a secure setup out of the box. This includes two-factor authentication (2FA) via SMS or an authenticator app, and an optional CAPTCHA challenge when signing in.

To protect load-balanced resources, Bloomreach uses Google Load Balancer with firewall rules. Traffic within the application is encrypted using TLS, SSH, and VPN options. Webhooks and imports can also use static IPs for clients who require that level of security. The application and infrastructure are continuously monitored and logged.

Enterprise security

For clients who handle sensitive data — such as those in banking or telecommunications — Bloomreach offers an additional layer of security and access management features designed to meet stricter compliance requirements.

Both core and enterprise security use Bloomreach's Public and Private APIs to give you control over your customer data.

Using the dedicated Private API, you can securely send and download data, which supports fulfilling Subject Access Requests required under GDPR. The Public API handles web tracking and web personalization using a public token, while the Private API uses a private token and secret.

Security management

Endpoint security

All Bloomreach endpoint devices are protected in line with the Endpoint Security Policy. This includes disk encryption, malware protection, disabled guest access, firewalls, and regularly updated operating systems. Bloomreach performs regular checks to maintain this level of security across all devices.

Monitoring

Security monitoring draws on data collected from internal network traffic and known vulnerabilities. Internal traffic is checked continuously for suspicious behavior. Network analysis, system log examination, and public data repository alerts are all part of the monitoring process to help identify unusual activity.

Vulnerability management

Bloomreach follows a vulnerability management policy that includes regular web scans and threat scans. When a vulnerability is identified, it's tracked, prioritized by urgency, and assigned to the relevant team as a ticket. The security team monitors open issues and follows up until each one is resolved.

Incident management

Bloomreach has well-defined incident management processes for security events that may affect the confidentiality, integrity, or availability of client resources or data. When an incident occurs, the security team identifies it, reports it, assigns it to the correct resolver, and sets a resolution priority based on urgency. Events that directly affect customers always receive the highest priority and the shortest resolution time. The process covers plans of action and procedures for identification, escalation, mitigation, and reporting.