Overview

Backflipt Security

Backflipt is committed to providing a highly secure and reliable integration and business automation service. The Security posture includes maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed. We at Backflipt use proven, tested, best-in-class security tools, technologies, policies, and procedures.

Group 13
Compliance

SOC 2 Type 2

Service Organization Controls 2 (SOC 2) Type 2 audit is performed by a third-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization's controls with respect to security, availability, processing integrity, online privacy, and confidentiality.

More information on SOC 2 reports can be found here

Compliance

Network Security

The Backflipt website is only accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Backflipt follows current best practices for security, including the use of robust encryption algorithms.

Backflipt also uses secure protocols for communication with third-party systems: usually HTTPS, but other protocols such as SFTP and FTPS are also supported. For on-premise systems, access requires installing an on-premises agent behind the firewall, which communicates outbound to Backflipt over an encrypted link, using TLS 1.2.

Backflipt uses a multi-tier architecture that segregates internal application systems from the public Internet. Public traffic to the website passes through a Web Application Firewall (WAF) and then is routed to internal systems running on private subnets. Interior, as well as exterior network traffic, uses secure, encrypted protocols. All network access, both within the data center and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is recorded into a centralized, secure logging system.

Data Security

Data in Transit

All data in transit is encrypted and secured using Secure Sockets Layer (SSL). Backflipt only exchanges information with services authorized by its user

Workflow Data

When business automation is executed data from applications and is processed in various steps inside the flow. This data is deleted at the end of a flow execution. However, for debugging purposes, this data and execution logs can be stored for up to 30 days. 

Authentication Data

Users authenticate with these applications to allow business automation to process data on behalf of the user. The authentication information contains OAuth Access Tokens or API Keys or Credentials. This data is encrypted using 256-bit encryption and stored. This information is deleted when the user deletes the authentication to an application.

Personal Account Information

Any personal details such as username and the email address needed to create an account will be stored as long as the user account is active. The tenant administrator has full control over user account management (Add, Delete) for all organization users. At any point, a tenant administrator can request to delete all user records, and this data will be deleted from our systems.

Data at Rest

Data at rest is stored in encrypted format using AES-256-bit encryption. The Backflipt Security Management software resolves decryption requests from the Backflipt service.

We take precautions to ensure that your personal information and data is protected.

We don’t sell your data.

We won’t send email to your contacts or post to social networks without your permission.

Account Login

User Account passwords are stored using robust hashing and salts.

Users can optionally configure their accounts to use Two-Factor Authentication employing an authenticator app such as Google Authenticator, Microsoft Authenticator.

Backflipt supports integration with 3rd party SAML compliant SSO systems. This allows an enterprise to manage access to Backflipt and other enterprise applications and apply custom authentication schemes and policies. 

Backflipt also supports Single Sign-On using 3rd-party credentials, including Google and Microsoft Office 365. 

Backflipt Supports automatic session logout after a period of time. Enterprises can set the appropriate timeout period according to their security needs. 

When business automation needs to connect to remote systems using user-supplied credentials, this is done using OAuth2. In these scenarios, no credentials need to be stored in the Backflipt system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key. 

Data Privacy

Backflipt a public privacy policy, which details the types of personal information we collect, our handling of this information, and our customers' privacy rights. 

Hosting Environment

Backflipt uses AWS infrastructure hosted in the USA. Amazon and Google maintain high standards of security for their data centers. For details on the security measures taken by Amazon to keep their infrastructure secure, please visit AWS Security Page.

Application Development and Testing

Backflipt has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as unit and integration testing, are part of the process.

Development staff receive regular training on Secure Coding Practices by a qualified third party. In addition to regular internal vulnerability scans are conducted, and an annual penetration test of the website is performed a qualified third party.

Incident Response

Backflipt has deployed a variety of security and monitoring tools for its production systems. There is monitoring of the security status of its systems and automated alerts are configured for security and performance issues. While we don't anticipate there ever being a breach of our systems, Backflipt has put in place a Security Incident Response Plan, which details roles, responsibilities and procedures in case of an actual or suspected security incident.

High Availability

Backflipt has implemented a Business Continuity and Disaster Recovery program. This program includes contingency planning for natural disasters and other possible disruptions. IT measures used to ensure high availability include running services in multiple redundant cloud Availability Zones and replication of the application database to a standby system.

Current system status and recent uptime statistics are continuously available at status.backflipt.com

Our Organization

All employees are subject to background checks that cover education, employment and criminal history. Employment at Backflipt requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

Backflipt maintains an information security training program that is mandatory for all employees. Knowledgeable full-time security personnel are on staff.