Since we do not have the resources to reply to custom security questionnaires, we have adopted Google's VSAQ standard, which covers everything you might want to know about our information security practices.
Our answers to the questionnaires evolve over time, as our company grows. We publish revised answers here regularly.
The answers below apply to all of our products and services.
Questionnaires answers are not available for our Desktop and Server-hosted Apps, but you can refer to their Terms of Service and License Agreements.
Each of our Services has a single database for all of that Service users' data. We use software best practices to guarantee that only people who you designate as viewers of your data can access it. In other words, we segment our customer data via software. We do our best and are very confident we’re doing a good job at it, but, like every other web app that hosts their customers data on the same database, cannot guarantee that a sophisticated hacker cannot access other people’s data.
Security is one of the main reasons we chose Amazon Web Services as the infrastructure provider for our Balsamiq Services. It has the best track record out there, look at this article for instance.
To see all the steps Amazon takes to protect the data saved on its services, take a look at the extensive Security And Compliance Center and the security-related white papers. It’s what makes us sleep well at night. AWS is ISO/IEC 27002 certified.
We also have our own practices in place, which follow the industry’s best practices. We only give access to our servers to senior Balsamiq security experts, we keep our servers always up to date with security fixes, have one-click ways to take down servers should they become infected/compromised and to create and deploy new clean ones, we have an automated suite of tests against cyber attacks, we use 2-factor authentication whenever possible, and more. We don’t run background checks on employees nor have CISSP certifications or have audit logs.
Our Services have never been compromised so far.
Should our systems get compromised, we will replace the server(s) that have been hacked with new ones (we can do this with very few clicks). If this doesn’t stop the attack, we’ll shut down the service until we can fix the vulnerability. We will also hire outside experts to help us and verify that we’re safe to resume service.
If you have discovered a security concern, please email us at firstname.lastname@example.org. We’ll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to email@example.com our highest priority, and work to address any issues that arise as quickly as possible.
Please act in good faith towards our users’ privacy and data during your disclosure. We won’t take legal action against you or administrative action against your account if you act accordingly: White hat researchers are always appreciated.