Bizzabo’s information security and compliance

1. Certifications.

Bizzabo uses an independent third party to audit our controls and processes.

SOC 2
In October of 2022 we received our SOC 2 Type 2 certification, covering the audit period of January 01, 2022 – June 30, 2022. Current customers can request this report as needed, and prospects may request the same post execution of a Non-Disclosure Agreement.

ISO 27001
In April 2017, Bizzabo achieved ISO 27001:2013 compliance. On an annual basis, surveillance audits are conducted to ensure compliance and maturity of our Information Security Management System (ISMS).

Current customers can request a copy of the current certificate.

2. Compliance.

General Data Protection Regulation (GDPR)
European Economic Area-origin personal data is processed and stored on the basis of the Standard Contractual Clauses, as amended by the Commission of the European Union, and we employ appropriate, and industry standard, technical, contractual, and organizational supplementary measures. Please visit our Privacy Policy for more information.

California Consumer Privacy Act (CCPA)
Bizzabo has updated the necessary internal procedures and processes to comply with CCPA. Please visit our Privacy Policy for more information.

Third-Party Sub-Processors
Bizzabo uses a variety of third-party sub-processors to provide various features of our platform. All third parties are subject to a thorough security, compliance, and privacy assessment prior to contracting and approval. If approved, an annual assessment is required to ensure compliance.

Cookies Page
When you visit Bizzabo’s website, we and our service providers collect certain data using tracking technologies like cookies and web beacons. Please visit our Cookie Page for more information.

3. Infrastructure & Development.

Data Centers
The Bizzabo product is based on logical architectures, with primary data centers run by Amazon Web Services (AWS), and Google Cloud Platform (GCP) located in the continental United States.

Bizzabo does not own the hardware located in these data centers. Instead, both AWS and GCP are responsible for the security of the underlying cloud infrastructure (IaaS / PaaS), while Bizzabo is responsible for controls and configurations beginning at the operating system layer.

Platform
A multi-tenant, cloud-based application, the Bizzabo platform is engineered for high
scalability, reliability, security, and performance. All elements of the platform are tested regularly. The platform is microservice-based and is deployed on top of Kubernetes orchestration.

Encryption
Data in transit is encrypted using TLS 1.2, while data at rest is encrypted using AES-256. Access to databases is also encrypted asymmetrically.

Each Bizzabo customer’s data is hosted within a multi-tenant environment and logically segregated using a unique key.

Network Security
Bizzabo divides its platform into separate network groups to better protect data. Network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure.

Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate with each other. Intrusion Detection / Intrusion Prevention (IDS/IPS) solutions are deployed, with near real-time alerts in place that indicate and alert for any suspicious or uncommon activity.

Secure Development & Change Management
Bizzabo has a formalized development and change management process in place, which requires identification and recording of significant changes, assessment of risk and the potential effect of such modifications, approval of proposed changes, and testing of changes to verify operational functionality. Proposed changes are evaluated to determine if they present a security risk and what mitigating actions, including employee and user entity notifications must be performed.

The Bizzabo secure development methodology includes project planning, design, testing, implementation, maintenance, and disposal or decommissioning. Changes to infrastructure and software are developed and tested in a separate development or test environment before release to production. Additionally, to ensure reviews and approvals are required, controls are in place before code is pushed to the production environment.

Access to the source code management tool is restricted to those with a business need for access. On a quarterly basis, access to the source code management tool is reviewed to ensure accuracy.

As part of the development process, static code analysis is also performed.

4. Organizational.

➔ Data classification and business impact assessment
➔ Selection, documentation, and implementation of security controls
➔ Assessment of security controls
➔ User access authorization and provisioning
➔ Removal of user access
➔ Monitoring of security controls
➔ Security management

Personnel
As part of the onboarding process, where applicable, all new Bizzabo personnel (e.g., employees, contractors, interns, etc.) are required to sign an NDA and pass a background check.

An information security & compliance onboarding presentation is reviewed with all personnel upon hire to explain processes, controls, and expectations. Web-based information security & compliance training is also assigned as part of onboarding, and on an annual basis. Every quarter, phishing campaigns are conducted using a third-party solution to ensure that personnel are aware of social engineering risks and how to identify them.

Additionally, at least annually and upon hire, all personnel are required to review and acknowledge applicable policies and procedures based on job role and function, as well as complete information security and privacy web-based training modules.

Access Management
To minimize the risk of data exposure, Bizzabo adheres to the principle of role-based least privilege access. Privileged access requests must be submitted using our internal ticketing system and include a business justification and manager’s approval.

Every quarter, privileged access is reviewed to ensure accuracy. When personnel are moved between roles or terminate their relationship with Bizzabo, a formal offboarding process is initiated, with physical and logical access removed within 24-hours.

Incident Management
Bizzabo established policies and procedures for responding quickly to all security and privacy events. Our approach is we first determine the exposure of the information and determine the source of the security or privacy issue. We will communicate promptly by using in-product messaging, email, and our status page to affected customers. We will also provide periodic updates as needed to ensure the appropriate resolution of any incident.

Any concerns or incidents can be reported to:
➔ [email protected]
➔ [email protected]

Monitoring, Logging & Alerting
Bizzabo invests in automated monitoring, alerting, and response systems to address potential issues continuously. Our systems will alert applicable internal stakeholders regarding error rates, unexpected activity, memory issues, etc.

Our system captures and stores logs from the application level, such as logins (success and failed), page visits, actions, modifications, and more. Logs are protected from changes.

Endpoint Protection
Our endpoint workstations are protected using commercial enterprise-grade antivirus/malware protection with centralized logging and monitoring. All assets are subject to full-disk encryption using Filevault, are password-protected, and auto-lock when idle, requiring re-authentication to unlock.

Endpoints are managed using agent-based services, which allow the ability to add/remove applications, deploy/change configurations, web-filtering, removable storage restrictions, as well as to remotely wipe/lock the asset.

Risk Assessment
Bizzabo regularly reviews the risks that may threaten the achievement of its service commitments and system requirements. This is done through regular meetings with appropriate personnel responsible for the processes, procedures, and controls.

Additionally, reviewing and acting upon any security event logs, performing vulnerability assessments, and conducting a formal annual information security risk assessment in conjunction with the company-wide risk assessment.

Independent third parties are engaged annually to conduct application-level (to mobile, web, and APIs) and infrastructure-level penetration tests (black, grey, and white-box). Results of these assessments are shared with the applicable internal staff, and if needed, an actionable plan of remediation is discussed and executed according to requirements outlined in policy.