Security is our top priority
Bidhive works hard to keep your data safe, secure, and private.
We take our security responsibility to you very seriously.
We’ve partnered with the world’s leader in cloud computing technology company, Amazon Web Services (AWS).
- Data privacy – The AWS infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure AWS data centres
- Data sovereignty – Customers always retain control of which AWS Region(s) are used to store and process their content. This allows our customers with geographic-specific requirements to establish environments in a location(s) of their choice.
- Data compliance – AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.
- Scalability – Security scales with your AWS cloud usage. No matter the size of your company, the AWS infrastructure is designed to keep data safe.
Bidhive is certified to SOC 2 / ISO 27001. We’ve given a lot of thought to how we’ve designed and built our platform to deliver performance, stability and security to our customers.
We neither store nor transmit your credit card information. We use Stripe, a PCI Level 1 compliant payment processor to handle all credit card transactions. All of our data is encrypted in transit and at rest.
Hosting and Database Storage
Bidhive infrastructure is hosted within Amazon Web Services, one of the most sophisticated and secure Cloud platforms on the planet. This gives us a leg up in terms of security and best practice, as AWS has been battle-tested and hardened over many years to be able to protect against many events which may potentially compromise security. At Bidhive, we use a combination of AWS services to build our platform, whose boundaries are clearly defined through appropriately configured Virtual Private Cloud (VPC) and Infrastructure Access Management (IAM) policies.
Specifically, AWS provides Bidhive the ability to:
- Secure and encrypt customer data at rest and in transit
- Detect and handle Distributed Denial of Service (DDOS) attacks through easy monitoring and scaling of our core application services
- Detect and block suspicious activity through monitoring/alarming and secure firewall configuration
- Ensure that Bidhive infrastructure is always up to date with the latest security and software patches through a system of automated and scheduled updates.
Encrypting Data in Transit
All HTTP traffic to Bidhive runs over an SSL-encrypted connection and we only accept traffic on port 443. In addition, our websites and API endpoints provide HTTP Strict Transport Security (HSTS) headers, to ensure connections are always made with SSL.
Encrypting Data at Rest
Bidhive’s backend is supported by a Postgres database to persist data. All data at rest and associated keys are encrypted using the industry-standard AES-256 algorithm.
Static files, such as images and other documents are persisted using AWS S3 storage. All static files are encrypted before they’re stored so while at rest they are encrypted.
AWS Security Practices
Amazon Web Services undergoes recurring assessments to ensure compliance with industry standards and continually manages risk. By using AWS as a data centre operations provider, our data centre operations are accredited by:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
More information about AWS security can be found here.
Password Policy and Storage
During account creation and password update, Bidhive requires a strong password that has 8 characters or more, and contains numbers as well as lower- and upper-case letters. Visually, this requirement is displayed to the user through a password strength meter to encourage users to provide stronger passwords.
We do not store user passwords: we only store one-way encrypted password hashes using the NIST-recommended PBKDF2 algorithm with a SHA256 hash. This algorithm uses a number of iterations or rounds of hashing and would require and enormous amount of computation power to break. This deliberately slows down attackers, making attacks against hashed passwords much harder.
At Bidhive we are always on the lookout for ways to increase security and plan to support two-factor authentication and additional account notifications for sensitive account changes (like a password change) in an upcoming version.
XSS and CSRF Protection
To prevent Cross-Site Scripting attacks (XSS) all output is per default escaped by our Django-based backend framework before hitting the browser. In addition, within the Bidhive API we ensure that GET requests (and other “safe” methods, as defined by RFC 7231#section-4.2.1) are side effect free.
For other requests, the Django framework generates a random “csrf_token” to prevent against Cross Site Request Forgery (CSRF) attacks.
Bidhive employs Cross-Origin Resource Sharing (CORS) headers to enforce origins request types for backend API requests.
We require all employees to use strong, unique passwords for Bidhive accounts, and to set up two-factor authentication with each device and service where available. Access to application admin functionalities is restricted to a subset of Bidhive staff.
Monitoring and Notifications
Bidhive uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies. Some of our preferred services for logging and notification include AWS CloudWatch, AWS SNS and an internal monitoring platform built with the excellent Zabbix open-source monitoring and alerting software.
Bidhive development is performed by a small, close-knit team. Code reviews are common practice and a suite of development tools are used to automatically vet the code that is checked in to our repositories, including static type checkers and linters.
At Bidhive, we invite anyone on the internet to notify us of issues they might find in our application to further strengthen and secure our platform. All vulnerability report submissions are read within hours of receipt and we aim to respond to all submissions within 48 hours.
In the event of a security breach, we have created procedures for resolute reactions, including turning off access to the web application, mass password reset and certificate rotations. If our platform is maliciously attacked, we will communicate this information to all of our users as quickly and openly as possible.