šŸ‘‹šŸ½ We wrote a book! Order Wireframing for Everyone today ā†’

Balsamiq

Toggle navigation

Information Security


Since we have limited resources to reply to custom security questionnaires, we have adopted the CAIQ-Lite and VSAQ standards, which cover a lot you might want to know about our information security practices.

If you plan on spending more than USD $1,000 with Balsamiq over the next year, email your security questionnaire to support@balsamiq.com. Otherwise you should be able to find all the answers you need on this page, and the pages linked below.

Questionnaires answers are not available for our Desktop and Server-hosted Apps, but you can refer to their Terms of Service and License Agreements.


Frequently Asked Security-Related Questions

How Is My Data Protected from Another Customerā€™s Data?

Each of our Services has a single database for all of that Service users' data. We use software best practices to guarantee that only people who you designate as viewers of your data can access it. In other words, we segment our customer data via software. We do our best and are very confident weā€™re doing a good job at it, but, like every other web app that hosts their customers data on the same database, cannot guarantee that a sophisticated hacker cannot access other peopleā€™s data.


How Are You Protecting My Data from Hacker Attacks?

Security is one of the main reasons we chose Amazon Web Services as the infrastructure provider for our Balsamiq Services. It has the best track record out there, look at this article for instance.

To see all the steps Amazon takes to protect the data saved on its services, take a look at the extensive Security And Compliance Center and the security-related white papers. Itā€™s what makes us sleep well at night. AWS is ISO/IEC 27002 certified.

We also have our own practices in place, which follow the industryā€™s best practices. We only give access to our servers to senior Balsamiq security experts, we keep our servers always up to date with security fixes, have one-click ways to take down servers should they become infected/compromised and to create and deploy new clean ones, we have an automated suite of tests against cyber attacks, we use 2-factor authentication whenever possible, and more. We donā€™t run background checks on employees nor have CISSP certifications or have audit logs.

Our Services have never been compromised so far.

Should our systems get compromised, we will replace the server(s) that have been hacked with new ones (we can do this with very few clicks). If this doesnā€™t stop the attack, weā€™ll shut down the service until we can fix the vulnerability. We will also hire outside experts to help us and verify that weā€™re safe to resume service.


Are you PCI DSS compliant?

Yes, we are. We go through the self-assement process anually and get scanned regularily.


What Should I Do If I Find a Security Vulnerability in a Balsamiq Service?

If you have discovered a security concern, please email us at security@balsamiq.com. Weā€™ll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to security@balsamiq.com our highest priority, and work to address any issues that arise as quickly as possible.

Please act in good faith towards our usersā€™ privacy and data during your disclosure. We wonā€™t take legal action against you or administrative action against your account if you act accordingly: White hat researchers are always appreciated.