CommandBar Security Overview
CommandBar takes security seriously. A lot of companies say that. We prefer to back it up with our actions and clear communication about our policies to let you assess how seriously we take security.
For those looking for reassurance that CommandBar is a secure, enterprise-grade option:
- We are trusted by public companies with millions of end users.
- We are SOC 2 Type 2, HIPAA, and GDPR certified to the most stringent standards.
- We offer a number of options to tune CommandBar to your company’s security and availability posture.
For more details, check out our Security Dashboard.
How to break down CommandBar’s security posture
We think of CommandBar’s security in the following buckets.
Preventing unauthorized parties from accessing CommandBar and our customer data. This includes external parties and internal parties (most breaches in 2023 begin with a compromised internal party).
The easiest way for us to communicate our commitment to application security is with our certification.
- We are SOC 2 Type 2 compliant, certified for security. Enterprise customers can request a copy of our compliance report.
- We are HIPPA compliant, so customers who process personal health information (PHI) of patients can safely use CommandBar without risking their own security status.
For further detail, here are some practices we maintain to ensure Application security.:
- Force all API transactions to use HTTPS, so all data-in-transit is encrypted using TLS
- Encrypt all data at-rest
- Host all of our servers and databases in the US in facilities that are SOC 2 and ISO 27001 certified
- Maintain detailed audit logs of internal systems
- Regularly conduct external penetration tests from third-party vendors (CommandBar Enterprise customer can also request our results, which we're proud of)
- Regularly conduct security awareness training sessions with all employees
- Maintain detailed audit logs of all internal systems.
- Have a responsible disclosure program, in order to work with security researchers when they identify potential security vulnerabilities. We guarantee a response to all legitimate reports within 5 days from submission. This allows us to ensure any vulnerabilities that do arise are reported and dealt with prompty.
As a cloud service, we must be available for our both our customers (to log into their CommandBar Dashboard and make changes) and their end users (to ensure they reliably have access to CommandBar experiences).
Most companies who report SOC 2 compliance are only certified for Security, but we have gone the extra mile to also obtain certification for Availability (in addition to Privacy, which is also non-standard), which means we take extra precautions to ensure we maintain our availability record in the future. For details, Enterprise customers can request our SOC 2 report (which covers Security, Availability, and Privacy).
Privacy (end user data)
CommandBar generates data from end users interacting with our experiences and your application, and makes this data available to our customers, so you can fine-tune your CommandBar configuration and better understand user behavior overall.
We offer several dials to control the flow of end-user data.
- Our Growth tier includes the option to specify data fields that should be removed from analytics events.
- Our Enterprise tier includes the option to turn of all logging to CommandBar’s servers entirely. Data can still be sent to a custom destination (like an internal data lake or CDP).
Regardless of configuration, CommandBar is compliant with GDPR.
Most companies who report SOC 2 compliance are only certified for Security, but we have gone the extra mile to also obtain certification for Privacy (in addition to Availability, which is also non-standard). For details, Enterprise customers can request our SOC 2 report (which covers Security, Availability, and Privacy).