As a cybersecurity company, we take the protection of our platform and any customer data on it very seriously. Below is an overview of how we are addressing our responsibilities.


Security is best implemented through a mixture of people, process and technology controls in many layers of our service. Below is a list of the main points, but there’s lots going on behind the scenes too;

  • We perform regular risk reviews to identify ways in which we can improve the security of, taking steps to find and mitigate risks to address any areas that we believe can be improved upon and further secured.
  • Our hosting is with industry-leading AWS. You can view their security page here.
  • Access to customer data or our application and infrastructure is provided strictly on a need-to-know basis, enforcing ‘Least Privilege Access’ principles. We conduct reviews of our roles and access controls regularly to ensure this principle hasn’t slipped.
  • We take full daily backups of our service and the data within it to ensure any impact from a disaster is minimised in terms of recovery point and recovery time (we can get back up and running really quickly, and without losing much data).
  • We employ 256-bit Advanced Encryption Standard (AES) for all storage and transfer of data, to reduce risks of eavesdropping or data theft.
  • All system administrator access makes use of Two Factor Authentication so that account misuse threats are minimized
  • We operate regular vulnerability scanning across our applications and infrastructure to ensure rapid identification and remediation of vulnerabilities.
  • We operate a program of responsible disclosure and undertake penetration testing and active red-team testing to find and mitigate common attacks.
  • We build security into our development and operations (DevOps) processes, to run a secure development lifecycle with secure-by-design principles adopted from the earliest stages in all activities.
  • We use different environments for development, testing and live operations of our services. These environments are separated both logically and physically from each other and no customer data is used in testing or development.
  • Comprehensive audit logs are kept for changes made by administrators. They provide records including type, action, performer and timestamp that it was executed.
  • Our full service is monitored 24/7 for security incidents, with response plans in place and tested for common scenarios.
  • Billing security is handed off to our payment partners; we do not store any payment card information


We’re a (very) young company, and still in the process of building our operations and platform. That said, we are building with the intention of getting certified to a number of industry standards. This section will be updated as we make progress.


If you are a current customer and suspect your account has been compromised, please get in touch with us immediately directly by email to works vigilantly to keep our (and our customers’) information secure, and we recognise the important role that security researchers can help play in both maintaining and improving our security posture. We operate a responsible disclosure program on the following basis:

  • You must act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service).
  • The following specific activities are explicitly forbidden under our responsible disclosure program, and any such activity will be considered an attempt to compromise our services and be liable for prosecution under appropriate laws.
    • Please do not perform any social engineering attacks;
    • Please do not carry out any distributed denial of service (DDoS) attacks, including large scale account enumeration or brute force that might lead to the lock-out of a real user’s account;
    • Please do not use any automated vulnerability/scanning tools (existing measures in place may permanently block an offending IP address); and
    • Please do not carry out any attack against our corporate email ( and associated infrastructure.

If you wish to create an account on our platform for the purpose of security research, we politely ask that you identify this account by starting your organisation name with “BB-” followed by some text of your choice


  • The following reported issues would be considered to be outside the scope of our program:
    • Our policies and implementation of SPF/DMARC records.
    • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
    • Attacks requiring physical access to a user’s device.
    • Host header injections unless you can show how they can lead to stealing user data.
    • Reports of spam (ie. any report involving the ability to send emails unless the applicable rate limits we enforce can be bypassed).
    • Vulnerabilities affecting users of outdated browsers or platforms.
    • Vulnerabilities involving active content such as web browser add-ons.
    • Social engineering of employees, contractors or customers.
    • Any physical attempts against property or data centers.
    • Any report that discusses how you can learn whether a given username or email address has a account.
    • Any access to data where the targeted user needs to be operating a jailbroken/rooted mobile device.
    • Content spoofing vulnerabilities (where you can only inject text or an image into a page).
    • Ability to share links without verifying email.
    • Absence of rate limiting, unless related to authentication.
    • IP/Port Scanning via services unless you are able to hit private IPs or servers.
    • Disclosure of public information or information that does not present risk to or our customers (eg. web server type disclosure).
    • Phishing risk via unicode or right-to-left-override issues.
    • Vulnerabilities contingent on a client system previously being compromised.
  • You should provide a thorough proof-of-concept/replication of your findings including the steps taken; any videos and images; a fully documented description and business impact details, and to only.
  • Information relating to our technology and information security arrangements (unless made public by us) is confidential. Any information you receive or collect about or any of our customers as part of your research prior to making a Responsible Disclosure submission, as detailed in this program, must be kept confidential and only used in connection with the Responsible Disclosure. You may not use, disclose or distribute any such information without our prior written consent. Any such information should be deleted once your submission has been received.
  • reserves the right to change or withdraw this program at any time and is under no obligation to reward any submission in any way. We will not negotiate in response to duress or threats (eg. threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public). In any and all such cases, we will engage the appropriate authorities as necessary.

Any security vulnerabilities discovered within the parameters of our responsible disclosure program should be reported directly by email to

Our policy is that we do not provide financial incentives/rewards for security vulnerability findings

Wall of gratitude

We are grateful for the efforts of those security researchers who have made reports of vulnerabilities to us, in line with the policy above. On behalf of and our users, we would like to thank the following individuals for helping making our services and assets more secure: