Bitscale Security

Infrastructure & Cloud Security

• CIS AWS Foundations Benchmark v1.4.0 applied to all AWS accounts
• Azure Operational Security Checklist for managed components
• GCP Security Best Practices for compute and data storage
• Network segmentation through private VPCs, subnets, and restrictive ACLs
• Security Groups limit inbound/outbound access to known services only
• All changes are enforced via Infrastructure as Code (Terraform) with peer review and logging

Data Protection

• Encryption in Transit: All data exchanges occur over TLS 1.2+
• Encryption at Rest: Data and backups are encrypted with AES-256
• Key Management: Encryption keys are managed and rotated via AWS KMS
• Isolation: Tenant data is logically separated at the database and application layers
• Data Retention: We store only operationally necessary data, deletions and exports are handled upon request
• Secure Backups: Nightly automated, encrypted backups with tested restore procedures

Identity & Access Controls

• Least Privilege: Every system and service follows principle of least privilege
• Role-Based Access Control (RBAC): Used across internal and production systems
• Multi-Factor Authentication (MFA): Required for all administrative and cloud access
• SSO Integration: SSO + SAML enforced for internal tools
• Session Expiry: Automatic timeouts and lockouts after failed attempts
• Zero Standing Privileges: Admin access is just-in-time and time-bound

Endpoint & Server Hardening

• Baseline configurations for all servers and workstations
• Unnecessary ports, services, and applications are disabled
• Regular patching and vulnerability scanning (Nessus-based) before go-live
• OS-level policies enforce password complexity and lockouts
• Full disk encryption on all company-managed endpoints
• Secure boot and BIOS protection enabled
• MDM applied for device compliance, remote wipe, and encryption enforcement

Network & Application Security

• Firewalls: Strict ingress/egress control at every network layer.
• IDS/IPS: Intrusion Detection & Prevention Systems monitor traffic and anomalies.
• WAF: Web Application Firewall mitigates OWASP Top 10 threats.
• Segmentation: VLANs isolate production, staging, and corporate environments.
• VPN: Required for administrative and support access.
• Rate Limiting & DDoS Protection: AWS Shield and Cloudflare safeguard APIs.
• Secure SDLC: Security testing integrated into CI/CD pipelines (SAST, DAST, dependency scans)
• Static and Dynamic Code Reviews: Performed for every release

Secure Development Lifecycle (SDLC)

Security is integrated from design to deployment:

• Code reviews with security sign-off
• Dependency vulnerability scanning via GitHub Dependabot + OWASP dependency-check
• Threat modeling for major features
• Regular internal penetration tests
• Continuous scanning of production surfaces
• Controlled deployment via CI/CD with rollback safety

Authentication & Password Standards

Bitscale enforces strong password and MFA policies for all users and personnel per Bitscale IT Hardening Guidelines:

• Minimum 8 characters: uppercase, lowercase, number, and special character
• No reuse of last 3 passwords; expiry every 90 days
• No use of personal identifiers (names, birthdays, etc.)
• MFA required for all cloud console and production logins
• Account lockout after repeated failed login attempts

Monitoring, Logging & Incident Response

• 24/7 Monitoring: Using Datadog and CloudWatch for real-time anomaly detection
• Centralized Logging: Immutable, tamper-proof logs retained for 1 year
• Alerting & Response: Automated alerts for privilege escalation, failed logins, and data access anomalies
• Incident Management: Defined IR playbooks and escalation matrix
• Customer Notification: Within 24 hours of confirmed security incidents

Compliance & Governance

• SOC 2-aligned internal controls and audit framework
• GDPR compliance with Data Processing Agreements (DPAs) available upon request
• Vendor security due diligence before integration
• Privacy and security training for all employees
• Periodic external audits and vulnerability assessments

Customer Responsibilities

Security is a shared responsibility. Customers are expected to:

• Manage user access and permissions responsibly
• Enable MFA for all team members
• Rotate API keys and tokens periodically
• Notify Bitscale immediately if unauthorized activity is suspected
• Obtain prior written approval before performing penetration testing

Vendor & Subprocessor Management

Bitscale uses a limited set of trusted subprocessors (e.g., AWS, GCP, HubSpot, Apollo) — all vetted for compliance and data protection standards.

Vendor relationships include contractual security clauses, DPAs, and periodic reviews.

Continuous Improvement

Our security posture evolves continuously. We regularly reassess configurations, perform quarterly vulnerability scans, and incorporate learnings from audits, incidents, and new standards.

Reporting a Security Issue

See something concerning? Email [email protected]. We acknowledge within one business day and provide updates until resolution.