Security

You’re entrusting BambooHR with your data, and we take that responsibility very seriously. That’s why we practice both Defense in Depth, a security principle focusing on multiple layers of security controls, and Zero Trust, a security model developed by industry leaders to secure resources at the system level rather than focusing on perimeter defense. Here are just some of the measures we take to lock down your data, prevent leaks, and block unauthorized access:

  • Active bug bounty program.
  • Web application firewall.
  • Input validation.
  • 24/7 security management and monitoring.
  • Native Multi-Factor Authentication.
  • Frequent vulnerability scans.
  • Annual third-party SOC I & II security audit.
  • Third-party penetration test.
  • Highest industry standard encryption.

Review Our Whistic Profile

Running a secure operation starts with creating a secure application, but it also requires constant monitoring, improvement, and vigilance against internal and external threats. Want to see the complete report of our ongoing security measures for yourself?

BambooHR makes it easy to validate the safety of your data with us by bringing together all the security documentation you’re looking for in our Whistic profile. Reports, certificates, audits, questionnaires—they’re all here. Register here, accept our Non-Disclosure Agreement, and access our documentation, including:

  • CAIQ Questionnaire
  • Sig Lite Questionnaire
  • SOC 2 Type 2
  • Transfer Impact Assessment

Secure, International Hosting Sites

We host customer data in state-of-the-art data centers located in the United States, Canada, or Ireland, depending on the location and needs of the individual customer and applicable laws. We ensure encryption of all information while it’s in transfer and at rest. Additionally, the data center located in Ireland meets all of the data requirements of the European Union, European Economic Area, Switzerland, and the United Kingdom.

flag United States

flag European Union

flag Canada

EU Customers

We also maintain compliance with European Union data privacy and United Kingdom laws to ensure data privacy for our European customers.

For more information, see our privacy and legal pages.