Security at Bondi | Bondi | The System That Changes The Way You Want

Last Updated: November 2025

1. Our Security Commitment

At Bondi, security isn’t just a feature-it’s the foundation of everything we build. We understand that you trust us with your most valuable business data, and we take that responsibility seriously.

Our Mission: To provide a secure, reliable platform that protects your data while enabling your team to work productively and confidently.

Security-First Approach

Security is embedded in every layer of our platform:

By Design: Security considerations from the first line of code
By Default: Secure configurations out of the box
Continuously: Ongoing monitoring, testing, and improvement
Transparently: Open communication about our security posture

Your Data, Your Control

Full ownership of your data-we never sell or misuse it
Privacy-first design with minimal data collection
Data residency options to meet regulatory requirements
Easy export and deletion when you need it

2. Data Protection

2.1 Encryption

Data in Transit:

TLS 1.3 or higher for all connections
Perfect Forward Secrecy (PFS) enabled
Strong cipher suites only (no weak or deprecated protocols)
HTTPS enforced across all domains
Secure WebSocket connections (WSS)

Data at Rest:

AES-256 encryption for all stored data
Encrypted database storage (AWS RDS encryption)
Encrypted file storage (AWS S3 server-side encryption)
Encrypted backups
Secure key management practices

Password Protection:

Industry-standard hashing with bcrypt or Argon2
Salted and hashed-never stored in plain text
Strong password requirements enforced
Regular password security audits

2.2 Data Residency & Sovereignty

European Union Data Protection:

For customers in the European Union and United Kingdom:

Primary data storage: AWS Frankfurt (Germany) or Dublin (Ireland)
Data stays in the EU for EU customers
No unauthorized transfers outside the EEA
Compliant with GDPR data residency requirements

Why This Matters:

Reduced latency for European users
Full compliance with GDPR and EU data protection laws
Sovereignty over your data location
Protection from foreign surveillance laws

Data Processing:

Limited processing by authorized sub-processors (see our Data Processing Agreement)
Standard Contractual Clauses (SCCs) for any US-based services
Supplementary technical measures (encryption, access controls)

2.3 Data Handling Principles

Data Minimization:

We collect only what’s necessary to provide our services
No excessive or unnecessary data gathering
Regular reviews of data collection practices

Purpose Limitation:

Data used only for stated purposes
No secondary use without consent
Clear communication about data usage

Retention & Deletion:

Active accounts: Data retained while you use our service
Deleted accounts: Data deleted within 30 days
Backups: Purged within 90 days of deletion
Legal holds: Retained only as required by law

Secure Deletion:

Multi-pass data wiping for sensitive data
Cryptographic erasure for encrypted data
Verification of deletion completion
Certificate of deletion available upon request

3. Infrastructure Security

3.1 Cloud Infrastructure

Amazon Web Services (AWS):

We leverage AWS’s world-class infrastructure:

Certifications: ISO 27001, SOC 1/2/3, PCI DSS Level 1
Physical security: Biometric access, 24/7 surveillance, armed guards
Environmental controls: Fire suppression, climate control, redundant power
Compliance: Multiple regulatory frameworks (HIPAA, FedRAMP, etc.)

Availability & Reliability:

Multiple availability zones for redundancy
Automatic failover capabilities
99.9% uptime commitment
Geographic distribution of resources

DDoS Protection:

AWS Shield Standard (always enabled)
Rate limiting and traffic filtering
Automated threat detection and mitigation
Traffic anomaly analysis

3.2 Network Security

Virtual Private Cloud (VPC):

Isolated network environment
Private subnets for sensitive resources
Network segmentation by function
No direct public access to databases

Firewall & Access Control:

Network-level firewall (Security Groups)
Application-level firewall (WAF)
Strict ingress/egress rules
IP whitelisting available for enterprise customers

Intrusion Detection & Prevention:

Network traffic monitoring
Anomaly detection systems
Automated threat response
Regular security assessments

Secure Architecture:

Load balancing for availability
Auto-scaling for performance and security
Isolated staging and production environments
No shared infrastructure between customers

4. Application Security

4.1 Secure Software Development Lifecycle (SSDLC)

Development Practices:

Security requirements from day one
Threat modeling for new features
Secure coding standards and guidelines
Peer code reviews for all changes
Security-focused pull request reviews

Automated Testing:

SAST (Static Application Security Testing): Code analysis before deployment
DAST (Dynamic Application Security Testing): Runtime vulnerability scanning
Dependency scanning: Third-party library vulnerability checks
Container scanning: Docker image security analysis
Infrastructure as Code (IaC) scanning: Terraform security validation

CI/CD Security:

Security gates in deployment pipeline
Automated security tests before production
Failed security checks block deployment
Audit trail of all deployments

4.2 Runtime Application Protection

Web Application Firewall (WAF):

Protection against common attacks (OWASP Top 10)
SQL injection prevention
Cross-Site Scripting (XSS) protection
Rate limiting and bot detection
Custom rules for emerging threats

Input Validation & Sanitization:

Server-side validation for all input
Parameterized queries to prevent SQL injection
Output encoding to prevent XSS
File upload security (type, size, content validation)
API input validation with schema enforcement

Security Headers:

Content Security Policy (CSP)
HTTP Strict Transport Security (HSTS)
X-Frame-Options (clickjacking protection)
X-Content-Type-Options
Referrer-Policy

API Security:

Rate limiting per user and endpoint
Authentication required for all endpoints
API versioning for security updates
Request/response validation
Detailed API logging and monitoring

4.3 Authentication & Authorization

Multi-Factor Authentication (MFA):

TOTP (Time-based One-Time Password) support
SMS and email-based verification
MFA required for administrative access
MFA recommended for all users
Recovery codes for account recovery

Strong Password Requirements:

Minimum length: 12 characters
Complexity requirements (uppercase, lowercase, numbers, symbols)
Password strength meter
Common password blacklist (no “password123”)
Regular password breach database checks

Role-Based Access Control (RBAC):

Granular permissions system
Workspace-level and project-level roles
Principle of least privilege
Custom role creation for enterprises
Audit logs for all permission changes

Session Management:

Secure session token generation
HttpOnly and Secure cookie flags
Session timeout after inactivity (configurable)
Single sign-out (invalidate all sessions)
Device tracking and management

Single Sign-On (SSO) Support:

SAML 2.0 for enterprise customers
OAuth 2.0 / OpenID Connect
Integration with popular identity providers (Google, Microsoft, Okta)
Just-in-Time (JIT) provisioning

5. Access Controls

5.1 Principle of Least Privilege

Minimal Access:

Users granted only necessary permissions
Role-based access assignment
Time-limited access for temporary needs
Regular access reviews and recertification

Administrative Access:

Strictly controlled and monitored
MFA required for all admin actions
Just-in-time access provisioning
Approval workflow for elevated privileges
Automatic expiration of temporary access

5.2 Employee Access & Security

Hiring & Onboarding:

Background checks for employees with data access (where legally permitted)
Confidentiality and Non-Disclosure Agreements (NDAs)
Security awareness training during onboarding
Policy acknowledgment and acceptance

Security Training:

Annual security awareness training for all employees
Role-specific security training (developers, support, etc.)
Phishing simulations and education
Incident response training
Regular security updates and communications

Access Management:

Unique credentials for each employee (no shared accounts)
MFA required for all corporate access
Regular access reviews (quarterly)
Immediate revocation upon termination
Offboarding checklist for departing employees

Device Security:

Company-issued laptops with full disk encryption
Endpoint protection (antivirus, anti-malware)
Mobile device management (MDM) for mobile access
Screen lock and auto-logout policies
Lost/stolen device remote wipe capability

6. Monitoring & Incident Detection

6.1 24/7 Security Monitoring

Real-Time Monitoring:

Continuous monitoring of infrastructure and applications
Automated alerting for suspicious activity
Security Operations Center (SOC) monitoring
Incident escalation procedures

Threat Detection:

Anomaly detection using machine learning
Behavioral analysis for unusual patterns
Failed login attempt tracking
Brute force attack detection
API abuse and rate limit violations

Alerting Systems:

Multi-channel alerts (email, SMS, Slack, PagerDuty)
Severity-based alert routing
On-call rotation for critical alerts
Escalation procedures for unacknowledged alerts

6.2 Logging & Audit Trails

Comprehensive Logging:

All authentication attempts (success and failure)
All data access and modifications
Administrative actions
API requests and responses
System events and errors

Centralized Log Management:

Secure log aggregation
Log retention: minimum 90 days for security logs
Immutable audit logs (tamper-evident)
Encrypted log storage
Regular log review and analysis

Audit Capabilities:

User activity reports
Admin action history
Data access logs
Export capabilities for compliance audits
Real-time audit trail access

7. Compliance & Certifications

7.1 Regulatory Compliance

GDPR & Data Protection:

✅ EU GDPR compliant
✅ UK GDPR (Data Protection Act 2018) compliant
Data Processing Agreement available: View DPA
Privacy Policy: View Policy
Cookie Policy: View Policy

Privacy by Design:

Privacy Impact Assessments (PIAs) for new features
Data Protection Officer (DPO) appointed
Regular privacy reviews
User rights management (access, deletion, portability)

7.2 Security Certifications & Standards

Current Certification Status:

✅ Compliant & Operational:

GDPR and UK GDPR
Data Protection regulations
AWS best practices
OWASP Top 10 guidance

🔄 In Progress:

SOC 2 Type II certification (expected: Q2 2026)
ISO 27001 certification (expected: Q3 2026)

Standards Alignment:

SOC 2 Trust Services Criteria (Security, Availability, Confidentiality)
ISO 27001 Information Security Management
NIST Cybersecurity Framework
CIS Controls for effective cyber defense
OWASP Application Security Verification Standard (ASVS)

7.3 Security Testing & Assessments

Annual Penetration Testing:

Independent third-party security firm
Black-box and white-box testing
Comprehensive assessment of infrastructure and applications
Remediation of findings before next test

Quarterly Vulnerability Scanning:

Automated vulnerability scans
Network and application scanning
Prioritized remediation by severity
Verification scanning after fixes

Continuous Security Assessment:

Internal security audits
Code security reviews
Architecture security reviews
Threat modeling for new features
Security metrics and KPIs tracking

8. Incident Response

8.1 Incident Response Program

Preparedness:

Documented Incident Response Plan (IRP)
Dedicated incident response team
Defined roles and responsibilities
Regular tabletop exercises and simulations
Communication templates and protocols

Incident Classification:

P0 (Critical): Data breach, service outage affecting all users
P1 (High): Security vulnerability, service degradation
P2 (Medium): Limited impact, non-critical issues
P3 (Low): Informational, no immediate impact

8.2 Response Process

1. Detection & Reporting:

Automated detection systems
Employee reporting channels
Customer reporting (security@heybondi.com)
Security researcher reports

2. Triage & Assessment:

Incident classification and severity assignment
Impact assessment (users affected, data involved)
Threat analysis
Activation of incident response team

3. Containment:

Immediate actions to stop the incident
Isolation of affected systems
Prevention of further damage
Evidence preservation for forensics

4. Investigation:

Root cause analysis
Forensic investigation
Scope determination
Timeline reconstruction

5. Notification:

GDPR compliance: Notification within 72 hours if required
Customer notification as appropriate
Regulatory authority notification as required
Transparent communication about impact and remediation

6. Remediation & Recovery:

Fix the root cause
Apply security patches
Restore services to normal operation
Verify fix effectiveness

7. Post-Incident Review:

Lessons learned session
Documentation of incident
Process improvements
Security enhancements
Update incident response plan

8.3 Communication & Transparency

Customer Communication:

Timely notification of incidents affecting customers
Regular status updates during incident response
Post-incident summary and root cause analysis
Clear explanation of impact and remediation

Status Page:

Real-time service status: status.heybondi.com
Incident history and resolution times
Scheduled maintenance notifications
Subscribe for updates

9. Business Continuity & Disaster Recovery

9.1 Data Backup Strategy

Automated Backups:

Daily automated backups of all customer data
Continuous replication for critical databases
Point-in-time recovery capability
Backup integrity verification

Encrypted Backup Storage:

AES-256 encryption for all backups
Separate encryption keys from production
Secure key management
Access controls for backup systems

Geo-Redundant Storage:

Backups stored in multiple AWS regions
Within EU for EU customer data
Cross-region replication
Protection against regional failures

Regular Restore Testing:

Monthly backup restoration tests
Verification of data integrity
Measurement of recovery time
Documentation of restore procedures

9.2 Disaster Recovery

Business Continuity Plan (BCP):

Documented procedures for various disaster scenarios
Critical business functions identified
Recovery priorities established
Regular plan reviews and updates

Recovery Objectives:

Recovery Time Objective (RTO): Target time to restore services
- Critical systems: 4 hours
- Standard systems: 24 hours
Recovery Point Objective (RPO): Maximum data loss acceptable
- Critical data: 1 hour
- Standard data: 24 hours

Failover Procedures:

Automated failover for critical systems
Multi-availability zone architecture
Database replication and failover
Regular disaster recovery drills

Testing & Validation:

Annual full disaster recovery test
Quarterly partial DR tests
Documentation of test results
Continuous improvement of DR procedures

10. Responsible Disclosure & Resources

10.1 Security Vulnerability Disclosure

Report Security Issues:

We welcome responsible disclosure of security vulnerabilities:

Disclosure Policy: View Policy
Contact: security@heybondi.com
Response Time: 48-72 hours for acknowledgment

Bug Bounty Program:

Recognition-only program (no monetary rewards currently)
Security Researcher Hall of Fame
Public acknowledgment with permission
Swag and appreciation for significant findings

Safe Harbor:

Legal protection for good-faith security research
No legal action for researchers following our policy
CFAA and DMCA safe harbor provisions

10.2 Customer Security Best Practices

Account Security:

✅ Enable Multi-Factor Authentication (MFA) on all accounts
✅ Use strong, unique passwords (12+ characters)
✅ Never share your login credentials
✅ Review connected devices and sessions regularly
✅ Log out when using shared or public devices

Team Management:

✅ Grant minimum necessary permissions
✅ Regularly review user access and roles
✅ Remove access for departing team members immediately
✅ Use SSO for centralized access management
✅ Monitor audit logs for suspicious activity

Data Protection:

✅ Educate your team about phishing and social engineering
✅ Be cautious of suspicious emails or links
✅ Regularly export and backup your data
✅ Use our API securely (keep API keys confidential)
✅ Report suspected security issues immediately

Security Settings:

Access security settings in your account dashboard
Configure session timeout preferences
Set up trusted IP addresses (Enterprise)
Enable login notifications
Review security activity logs

10.3 Security Resources

Documentation:

Privacy Policy - How we handle your personal data
Data Processing Agreement - GDPR compliance for B2B customers
Cookie Policy - Our use of cookies and tracking
Vulnerability Disclosure - How to report security issues

Certifications & Audits:

SOC 2 reports available upon request (NDA required)
AWS compliance documentation
Third-party penetration test summaries (NDA required)
Security questionnaire responses for enterprise customers

Contact Security Team:

General inquiries: security@heybondi.com
Vulnerability reports: security@heybondi.com
Incident reports: security@heybondi.com (mark as URGENT)
Enterprise security questions: sales@heybondi.com

Response Times:

Security inquiries: 2-3 business days
Vulnerability reports: 48-72 hours
Critical incidents: Immediate (24/7 monitoring)

11. Our Security Roadmap

Ongoing Initiatives

Short Term (Next 3-6 Months):

Enhanced logging and monitoring capabilities
Additional security automation
Expanded security training program
Customer security education resources

Medium Term (6-12 Months):

SOC 2 Type II certification completion
ISO 27001 certification preparation
Bug bounty program with monetary rewards
Advanced threat detection capabilities

Long Term (12+ Months):

Additional compliance certifications (ISO 27701, ISO 27017)
Enhanced customer security controls
Security API for enterprise customers
Real-time security dashboard for customers

Continuous Improvement

Security is never “done”-it’s an ongoing commitment:

Regular security assessments and updates
Adaptation to emerging threats
Implementation of new security technologies
Response to customer feedback and requirements
Industry best practices adoption

12. Questions & Support

Frequently Asked Questions

Q: Where is my data stored? A: EU customer data is stored in AWS data centers in Frankfurt (Germany) or Dublin (Ireland). Your data does not leave the EU.

Q: Do you have SOC 2 or ISO 27001? A: We are currently working towards SOC 2 Type II (expected Q2 2026) and ISO 27001 (expected Q3 2026). We follow best practices aligned with these standards.

Q: Can I get a copy of your security documentation? A: Yes. SOC 2 reports and penetration test summaries are available to customers under NDA. Contact sales@heybondi.com.

Q: How do I enable MFA for my team? A: Go to Account Settings → Security and follow the MFA setup wizard. We recommend requiring MFA for all team members.

Q: What happens if there’s a security incident? A: We will notify affected customers within 72 hours (GDPR requirement), provide regular updates, and share a post-incident report.

Q: Do you encrypt data at rest? A: Yes, all data is encrypted at rest using AES-256 encryption through AWS-managed encryption.

Q: Can I export my data? A: Yes, you can export your data at any time through the platform or by contacting support@heybondi.com.

Contact Our Security Team

For any security-related questions or concerns:

Email: security@heybondi.com
Address: 2803 Philadelphia Pike, Suite B #356, Claymont, DE 19703, United States

We take all security inquiries seriously and respond promptly to help ensure your data is protected.

Thank you for trusting Bondi with your business data. Security is a shared responsibility, and we’re committed to protecting your information every step of the way.

Last reviewed and updated: November 2025