Updated and Published July 5, 2022
In order to protect the confidentiality, integrity, and availability of both Bluebeam’s internal data and Bluebeam’s customer’s data (“Your Data” as defined in the General Terms and Conditions of Use), Bluebeam has implemented an information security program that includes the following technical, administrative, organizational, and physical controls (the “Security Program”). For more details on Bluebeam’s Security Program and related controls, including a copy of our SOC 2 report, existing customers may contact their account representative or technical support. Potential customers may contact technical support.
Bluebeam utilizes a risk-focused framework to evaluate security maturity and prioritize security initiatives. A Security Steering Committee composed of executive leaders in technical and business functions meet at least quarterly to assess risk and develop remediation plans.
Bluebeam has established a risk assessment framework used to evaluate risks throughout the company on an ongoing basis. The risk management process incorporates management’s risk tolerance and evaluations of new or evolving risks.
Bluebeam’s office locations are monitored by a receptionist during business hours. Doors are locked outside business hours and when a receptionist is not present. Visitors to Bluebeam’s office location are required to sign in and are provided a temporary identification badge.
Physical keys and card access to areas where critical equipment is located is restricted to authorized individuals. Bluebeam management reviews holders of keys and access cards annually.
Bluebeam leverages Amazon Web Services to host Bluebeam cloud products. AWS provides highly available and secure data centers. Details on AWS’s data center security controls can be found here.
Bluebeam places a high priority on the security of its workforce. All Bluebeam employees are required to undergo background checks as part of the hiring process. Within one month of hire, employees receive training in data security concepts and responsibilities, as well as privacy regulation. This training is updated regularly, and all employees are required to complete it annually.
Bluebeam personnel are required to read and accept the Bluebeam’s Code of Conduct and security policies upon their hire and to formally reaffirm them annually thereafter.
In addition to annual security training for all employees, Bluebeam’s security team provides job-specific security training to teams like the People Team and DevOps. Bluebeam’s developers are also required to complete annual training on secure development practices.
Bluebeam’s security team continuously monitors for threats and security incidents across all networks and infrastructure.
In the event that an incident is detected, Bluebeam has established a formal Incident Response Plan, which defines a process of resolving and escalating reported events. Its provisions include consideration of the need to inform internal and external users of incidents and advising of corrective actions to be taken, as well as an incident after-action review requirement. Policies and procedures for operational and incident response management require incidents to be logged and reviewed with appropriate corrective actions taken if necessary.
Bluebeam has a defined vulnerability management program that includes executive oversight and defined SLAs for remediation or mitigation.
On at least a monthly basis, Bluebeam’s security team performs scans of infrastructure and applications to identify vulnerabilities. Additionally, third party penetration testing is performed on Bluebeam’s applications and infrastructure at least annually. Vulnerabilities identified through these scans are evaluated for impact to the confidentiality, integrity, and availability of Bluebeam’s systems and customer data and prioritized for remediation based on these factors.
Bluebeam leverages highly segregated networks with role-based access control to protect customer data. Networks containing customer data are only accessible to Bluebeam employees whose job function requires access.
Development and test environments are segregated from production, and Bluebeam’s policies restrict the use of confidential or private data in all non-production environments.
At the system level, access rights are granted or modified on a business-need basis depending on the user’s job role. Wherever technically feasible, two-factor authentication is used to access Bluebeam’s system and applications, including on VPNs and other forms of remote access. Bluebeam personnel are assigned unique usernames and are required to use strong passwords for access to Bluebeam’s systems. Shared accounts are not permitted unless a specific use case is documented and approved by security management. Bluebeam performs reviews of privileged and regular user access to production systems on a quarterly basis to ensure access appropriateness.
Bluebeam customer data (“Your Data”) is stored on secure cloud services and is protected and encrypted when in transit and at rest. HTTPS, SSH, SFTP, or other technologies using modern encryption protocols are used to protect data in transit. AES-256 or other appropriate industry standard standards are used to protect data at rest.
Bluebeam’s change management policy and procedures require review and authorization by appropriate business and technical management before system changes are implemented into the production environment. System changes include documentation of authorization, design, implementation, configuration, testing, modification, approval commensurate with risk level. Changes are tested in a separate test environment prior to moving them to the production environment.
The change management process includes identification of changes that require communication to internal or external users. System and organizational changes are communicated to internal and external users as appropriate through Bluebeam’s application.
Bluebeam evaluates vendors and other third parties’ security as part of its vendor selection process and annually thereafter. For third parties storing or processing Bluebeam’s confidential information, the third party is required to hold an audited security attestation (e.g. SOC 2 Type II, ISO 27001) or demonstrate their ability to meet equivalent security controls.
Confidential information is disclosed only to third parties who have agreements with Bluebeam to protect personal information in a manner consistent with the relevant aspects of Bluebeam’s privacy policies or other specific instructions or requirements. Third parties that process customer PII on behalf of Bluebeam are listed in Bluebeam’s Sub-processor list.
At Bluebeam, we consider the security of our systems a top priority, but no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability in any of our products or web applications, we would like to know about it so we can take steps to address it as quickly as possible.
The issues below are not considered in scope for vulnerability disclosure, and we ask that you not report them unless you have identified unusual risk associated with the issue.