BlueOcean
Security

Security Policy

BlueOcean is fully committed to protecting the privacy of all customers as well as anyone with an association as an employee or customer of our customers. The protection of all information in the BlueOcean Brand Navigator platform is of the utmost importance.

 

Compliance

Security and trust are an integral part of BlueOcean’s ethos.  BlueOcean received a clean SOC 2 Type 2 audit report on November 4th, 2022 by Barr Associates and all security monitoring is done actively by Vanta.

 

AWS

BlueOcean’s Brand Navigator platform is hosted completely in the Amazon Web Services Public Cloud (AWS). All AWS security best practices are adhered to, monitored, and maintained utilizing multiple monitoring solutions both native and external to AWS.

BlueOcean employs a role-based access control (RBAC) least privilege security methodology. Users with access to the AWS platform are given the minimum level of access required for their job function, and access is audited every 90 days.

For additional details regarding AWS security, please refer to the following pages:

AWS Security
https://aws.amazon.com/security/

AWS Compliance
https://aws.amazon.com/compliance/programs/

AWS DataCenter Security
https://aws.amazon.com/compliance/data-center/data-centers/

 

Application Access

Brand Navigator may only be accessed through the application layer utilizing approved credentials. Standard user access controls,  MFA and strong passwords, are utilized to provide and secure access to the platform to only authorized users. BlueOcean does not provide direct access to any databases or backend systems to customers or systems.  This approach prevents unauthorized services or systems from accidentally or maliciously retrieving or modifying BlueOcean data.

DevOps User Access

Access for DevOps users is also granted on a role-based access control (RBAC) least privilege methodology. Multi-factor authentication and strong full-entropy based passwords are required for all user accounts. Access to all root accounts has been restricted and multi-factor authentication enabled to prevent un-authorized access to this level of account.

Encryption In Transit and at Rest

All traffic into and out of the BlueOcean application is encrypted using TLS/SSL protocol that leverages either SHA-2 or AES algorithms.

Data is encrypted using Advanced Encryption Standard (AES) algorithm with 256-bit secret keys. Encryption keys are stored using a Key Management Service provided by AWS. Databases are encrypted at rest as well as in flight between the underlying volume and the serverless compute instances.

Audit Logs

Application and Backend Log data is replicated to a central log management solution and stored for a minimum of 7 days.

Backups

Data is backed up continuously for two weeks for point-in-time recovery. In addition, weekly snapshots are retained for an appropriate level of time to ensure an established recovery time objective can be met. Snapshots are scheduled and executed daily on all critical server infrastructure. All backups are encrypted in transit and encrypted at rest.

Periodic Penetration Tests

BlueOcean has engaged a third-party partner to conduct yearly vulnerability and penetration testing.

Organizational and information security

BlueOcean vets employees and performs background checks in accordance with local laws. All employees complete annual security training which covers topics such as data privacy, information security, and password security.

Employee workstations are configured with full-disk encryption, strong passwords, and automatic locking.

Incident Response

If BlueOcean becomes aware of unauthorized access to any managed systems under its control (“Incident”), BlueOcean will:

  • Engage in swift and reasonable measures to mitigate the effects of the Incident and rapidly engage in measures to prevent further unauthorized access or disclosure.
  • Upon confirmation of the Incident, BlueOcean shall notify the Customer in writing of the Incident within an appropriate timeframe as determined by the size, breadth, and scope of the Incident.
    • BlueOcean may delay such notice as requested by law enforcement and/or in light of BlueOcean’s legitimate needs to investigate or remediate the matter before providing notice.
    • The extent of the Incident and what is reasonably believed to have been, used, accessed, acquired or disclosed during the Incident
    • A detailed description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
    • The scope of the Incident, to the extent known and appropriate to disseminate to the Customer
    • A description of BlueOcean’s response to the Incident, including steps BlueOcean has taken to mitigate the harm caused by the Incident
 

How to report an issue

If you believe you’ve discovered a security-related issue, please report the issue to security@blueocean.a

 

Schedule a demo