Bugfender’s Security Principles
We understand that protecting your customer's data is vital for you. It's just as important for us. We're tired of "free" products which actually make money by selling your data.
Bugfender is fully committed to safeguarding the data we're handling for you. Here is how we do it:
Your Customer’s Data is Yours
… and we operate by this principle. We don’t use your customer’s data, we don’t sell it to third parties, and we don’t target your customers with ads, tracker cookies or anything like it. Period.
User Account Protection
Your team members’ passwords are securely stored using a password-based key derivation function, so there is no way for our staff or a potential intruder to guess your password.
We offer two-factor authentication using the industry-standard, time-based one-time Password (via an authenticator app like Google Authenticator or Authy), FIDO U2F Security Keys (like YubiKey or Krypton) and phone number validation with SMS as a fallback.
We keep an audit log of the most recent activity on your account and your teams. In the event that our customer support team accesses your account on your behalf, to assist any requests you make, our actions will appear in the log for complete transparency. To guarantee maximum security, our staff is always required to use two-factor authentication, even if you do not have it enabled.
All network communications involving your logs are protected with the latest TLS 1.3 authentication and encryption with strong cipher algorithms. For backwards compatibility, TLS 1.2 is also accepted. Your data is always authenticated and encrypted when in transit and at rest.
Our staff is always two-factor authenticated when accessing your data. Only select employees on customer support and operations have access to your data, in order to perform their duties. They are informed of their security responsibilities and receive security awareness training.
We run datacenters at multiple, distant locations (always within the European Union) to ensure we can quickly recover from a potential problem. We offer the possibility of custom datacenters if required. Contact us for this option.
Bugfender complies with GDPR and is ready to process your customer personal data under GPDR for standard categories of data, you can sign a Data Protection Agreement with us for that. Within the agreement, we provide support to perform your obligations on data access, rectification, erasure, expiration, data portability, export, and notification of breaches.
We process your data at ISO 27001-certified data centers within the European Union, offering legal, physical and logical security protection measures, regular security audits, and staff training.
We’re also ISO 27001 compliant ourselves: our code is developed following Software Development Life Cycle, the code is reviewed manually and using automated tools, and we perform penetration tests, following the industry’s best practices. We have an incident response process, we perform employee background checks, training, supplier vetting, etc.
Your financial information, like your credit card, is never stored in our servers, it’s securely protected and kept by a third-party PCI-certified supplier.
Highly sensitive workloads
Bugfender On-Premises or Private Instance editions can be used in PCI and HIPAA-compliant workloads, or workloads that require data locality. Contact us for this option.
Our Enterprise customers can also sign custom contracts if specific language is required. Contact us for this option.
If you’re a security researcher and you found a security vulnerability in Bugfender, please feel free to get in touch with our security contact.
Our staff will be happy to answer any questions you might have regarding security and compliance, so please feel free to contact us with your question. For high-sensitivity communications we have a PGP key available.