At Bagel AI, we take our customers’ data very seriously. Since day one, security and privacy have been “job zero” for us and part of every decision that we make.

Bagel AI is committed to delivering forward-thinking technology while honoring the responsibility to safeguard the data customers share with us. We have taken a multi-tiered security approach in the design of our application and maintain that standard through secure development practices combined with a number of third-party assessments. Our focus remains on releasing product features that empower workplaces without sacrificing security.

We know that entrusting us with your internal corporate data is an important decision. Therefore we have taken numerous steps to create a strong security program to provide you with the reassurance you need. We ensure that each customer’s data is kept safe and separate from other customer’s data, and we also limit the same principles of access with our own staff’s capabilities. Bagel AI doesn’t view your data unless you’re aware, and we will never create any sort of meta-reporting that can be resold later. Our business is focused on delivering the value we promise and nothing else.

Bagel AI is SOC2 Type 2 compliant, certified by EY. We are excited about this, as not many companies of our size and stage invest the time and efforts needed to reach SOC-2. This is a testament to the continuous efforts we put towards Security and Privacy for our customers. It also outlines our philosophy and approach for information security management, risk assessment, board oversight, and third-party risks, among other principles. We also engage with an external security firm for Penetration Testing exercises on a regular cadence and can share these reports with customers and prospects upon NDA signature. For the SOC2 Type2 report, please contact us via email at [email protected].

All of our infrastructure is hosted using AWS and GCP managed services. This means that all of our applications and platforms follow the best industry standards available in terms of security, reliability, privacy and encryption that AWS and GCP can provide. AWS and GCP complies with dozens of Security Frameworks and Standards and by only selecting managed services, we ensure that we leave the heavy lifting of managing and securing the underlying infrastructure to AWS & GCP.

We integrate with external services such as Salesforce, Jira, Zendesk, Gong, and Slack, but we do so by following their strict API-level authentication requirements (oauth2) and adhering to the permissions that customers grant to Bagel AI, giving you full control over our access.

We physically and logically isolate hosted environments on a private VPC network. Both network traffic and access control is strictly controlled. An example of this is our usage of AWS’s IAM, where having access to the private network is not enough to access a given system, and also being able to identify the user and grant access to the resources based on the user role and permissions is required.

As part of our continuous compliance and DevSecOps practices, we monitor AWS security event streams, like CloudTrail and GuardDuty. We are notified when our base images have any vulnerabilities and take immediate action.

Amazon’s and Google Cloud's data centers have been validated for compliance against a number of strict standards, regulations and assorted frameworks. To learn more about Amazon’s Compliance you can visit https://aws.amazon.com/compliance. To learn more about Google Cloud’s Compliance you can visit https://cloud.google.com/compliance.

The EU General Data Protection Regulation (GDPR) is a new comprehensive EU data privacy law that took effect on May 25, 2018.

Under GDPR, Bagel AI is a data processor; therefore, we provide support to data controllers in order to enable them to fulfill their obligations under GDPR, and will refer any direct inquiry from consumers and end-users to the respective data controller for handling.

Bagel AI has taken various steps to give customers assurance that the use of Bagel AI’s products and services is consistent with the GDPR:

Sub-processors: Bagel AI uses third-party services for business & operational efficiency. These sub-processors have limited access to requisite customer data in order to provide specific functionality within our service. We establish data protection agreements that require third-party services to adhere to confidentiality and privacy commitments that we have made to our customers. For a list of current sub-processors, please contact us via email at [email protected].

Bagel AI is a service provider, as defined by the California Consumer Privacy Act of 2018 (“CCPA”) which is a California state law that went into effect on January 1, 2020. CCPA gives California consumers new privacy rights and creates new obligations for businesses that are covered by the law.

The rights for California consumers include:

Our business has processes in place in order to respond to consumer requests related to the CCPA.

The learn more about Bagel's privacy policy you can visit https://www.getbagel.com/privacy-policy/. If you would like to request a copy of our Data Protection Agreement or if you have any other privacy-related questions, please email us at [email protected].

​

We use encryption-at-rest on all of our databases and more specifically, the 256-bit Advanced Encryption Standard (AES-256), with symmetric keys managed by AWS & GCP. These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly. In terms of encryption-in-transit, we enforce HTTPS communication on all of our services and use SSL SHA-256 ECDSA Certificates running on the latest TLS 1.3.

Bagel AI maintains a formal information security program that is supported by written information security policies, approved by management, published and communicated to staff. 
We hold a security leadership committee that provides executive-level oversight and approval for security and compliance initiatives and planning through various actions.

Users can authenticate via SSO using a G-Suite and/or Slack identity. User passwords are protected by the latest recommendations for strong encryption and hashing (i.e. AES-256 and bcrypt). Bagel AI APIs only communicate over encrypted channels and are only accessible to verified users.

Our system has a multitenant architecture that logically separates customer data through access control that is based on company, users, and roles. Our application has extensive access control lists, authentication, and authorization mechanisms that allow data access for authorized users only. All customer accounts are assigned a unique GUID which will allow access to only services and data consistent with the privileges assigned. Only authorized employees are granted access to production systems for fulfilling their job responsibilities. Access is regularly reviewed for business justification.

Bagel AI data and services are deployed across geographically distributed availability zones in the United States maintained by an industry-leading service provider (Amazon Web Services & Google Cloud). Scalable infrastructure is used to distribute application load across resources and support high availability. Properly isolated network resources restrict inbound traffic from untrusted zones.

Capacity thresholds are defined to automatically provision additional resources to meet spikes in application demand.

A Software Development Lifecycle (SDLC) policy is documented to guide engineers on appropriate development practices and change control. Code is evaluated for design, functionality, and expected security exposures. Changes to the source code are governed by a standardized change management process. In addition to automated and manual testing, our code is peer-reviewed prior to being deployed to production.

Daily backups are enabled for all databases, as well as continuous point-in-time backups that allow us to restore data from any point in the past. We follow AWS & GCP best practices in terms of running our platform with High Availability and Fault Tolerance in mind and we are continuously iterating on this front. We take good pride in our technology stack and ensure it’s always improving.

We perform security background checks for all prospective employees prior to making an offer of employment. Our onboarding process also focuses on security and privacy. We require all employees to complete security training. We deploy a company-managed security solution agent to ensure workstation hard drives are encrypted, a password manager is being used and an antivirus solution is installed.

We believe that it’s not possible to be 100% secure in the current landscape of evolving threats. That’s why we always incorporate a percentage of security-related improvements to all of our development cycles and try to bring security in as early in the planning process as possible.

If you have any questions or want to discuss further please reach out to [email protected]. We hope you found this article useful!