Bugfender’s Security Principles

We understand that protecting your customer’s data is vital for you. It’s just as important for us. We’re tired of “free” products which actually make money by selling your data.

Bugfender is fully committed to safeguarding the data we’re handling for you. Here is how we do it:

Your Customer’s Data is Yours

… and we operate by this principle. We don’t use your customer’s data, we don’t sell it to third parties, and we don’t target your customers with ads, tracker cookies or anything like it. Period.

User Account Protection

Your team members’ passwords are securely stored using a password-based key derivation function, so there is no way for our staff or a potential intruder to guess your password.

We offer two-factor authentication using the industry-standard, time-based one-time Password (via an authenticator app like Google Authenticator or Authy), FIDO U2F Security Keys (like YubiKey or Krypton) and phone number validation with SMS as a fallback.

We keep an audit log of the most recent activity on your account and your teams. In the event that our customer support team accesses your account on your behalf, to assist any requests you make, our actions will appear in the log for complete transparency. To guarantee maximum security, our staff is always required to use two-factor authentication, even if you do not have it enabled.

Data Protection

All communications between the Bugfender SDK residing in your applications and our datacenters are protected with the latest TLS v1.3 authentication and encryption with strong cypher algorithms. The same exact protection applies to your visits to the Bugfender Dashboard. Your data is always authenticated and encrypted when in transit.

We offer support for very old mobile devices, right the way back to version Android 2.x, so we still fall back to the most modern TLS version supported down until v1.0. We do not allow unencrypted communications or encrypted communications with SSL/TLS on lower versions.

We process your data at ISO 27001-certified datacenters within the European Union, offering legal, physical and logical security protection measures, regular security audits and staff training.

Still, data is always encrypted in transit, even within our datacenters. Data is also encrypted when at rest in most places (we’re performing some improvements to ensure data is always encrypted).

Our staff is always two-factor authenticated when accessing your data. Only select employees on customer support and operations have access to your data, in order to perform their duties. They are informed of their security responsibilities and receive security awareness training.

We run datacenters at multiple, distant locations (always within the European Union) to ensure we can quickly recover from a potential problem. We offer the possibility of custom datacenters if required. Contact us for this option.

Compliance

Bugfender complies with GDPR and is ready to process your customer personal data under GPDR for standard categories of data as well. You can sign a Data Protection Agreement with us for that. Within the agreement, we provide support to perform your obligations on data access, rectification, erasure, expiration, data portability, export and notification of breaches.

Your financial information, like your credit card, is never stored in our servers. It’s securely protected and kept by a third-party PCI certified supplier.

High sensitivity workloads

Bugfender On-Premise or Private Instance editions can be used in PCI and HIPAA-compliant workloads. Contact us for this option.

Our Enterprise customers can also sign custom contracts if specific language is required. Contact us for this option.

Further reading

You may also want to read our Terms of Service, our Privacy Policy and the Security and Compliance section in our Knowledge Base.

Questions?

Our staff will be happy to answer any questions you might have regarding security and compliance, so please feel free to contact us with your question. For high-sensitivity communications we have a PGP key available.