• OpenBOM Cloud Security Statement

    Effective 16 November 2017

    Overview

    At OpenBOM, we take security very seriously so that you and your teams can focus your time and effort on what you do best: manufacturing exceptional products. OpenBOM cloud services are hosted and delivered by Amazon Web Services (AWS). Amazon is responsible for the security of its actual data centers and the AWS cloud. OpenBOM is responsible for monitoring, managing and securing the OpenBOM service hosted by AWS. If you have further questions, or if you would like to share your perspectives on our approaches to securing the information you entrust to us, please contact us on security@openbom.com

    Facilities

    AWS manages the data centers that host the OpenBOM service. For more information about security at those data centers, see https://aws.amazon.com/security.

     

    OpenBOM data is hosted in the United States.

    Certification

    Amazon Web Services manages the security of the cloud. AWS has been certified by third-party organizations and manages many compliance programs to comply with laws and regulations. A list of such certifications and compliance statements can be found at:

     

    https://aws.amazon.com/compliance/ .

    Data Storage

    All communications with the OpenBOM service are protected with HTTPS using TLS.

    Backups

    Your data on the OpenBOM service is available 24 hours a day, seven days a week. Customer data is backed up once per day.

    People and Access

    Within OpenBOM, only members of our Operations Team have access to the production environment for the purposes of maintaining our cloud services and assisting our customers. Additionally, we monitor all access to the OpenBOM service.

     

    Customers are responsible for maintaining the security of their own login information.

    Sharing

    OpenBOM enables you to grant permissions when you share your Bill of Material documents with other users. These permission levels provide you with control over the actions a specific user who you share with can undertake in the shared document:

    1. “Can edit” permissions allow a collaborator to modify data within a document; 
    2. “Can view" prohibits the specified users from making any modifications; and
    3. "Read only" anonymous sharing.

    Communication of data between OpenBOM's cloud servers and users’ web browser clients and is always encrypted, however, if documents are shared with users that have malicious intent, they could by manual or automated means reproduce the documents’ data for their own purposes irrespective of the permissions you assign. For example, OpenBOM cannot prevent receiving users from taking screenshots, nor can OpenBOM prevent attempts to reverse engineer information sent to the browser.

     

    As with all important company or personal data, OpenBOM recommends that you exercise caution at all times when sharing and that you limit permission levels to the minimum necessary. In highly sensitive situations where you are concerned about the behavior of the recipients, you should consider making a copy of BOM, removing sensitive data, and sharing that copy of the BOM.

     

    For more on the specifics of sharing in OpenBOM, click here.

    PCI Security Standards

    OpenBOM uses Bluesnap as a third-party payment processing service. Credit card information is encrypted in your browser and sent directly to Bluesnap. Credit card information is not transmitted to OpenBOM servers and is not stored by OpenBOM. BlueSnap is PCI compliant and our use of their service preserves that PCI compliance.

    Communication Security

    OpenBOM requires HTTPS for all services, including our public website. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use automated tools to test our live servers for susceptibility to new and existing SSL/TLS vulnerabilities.

    Encryption

    All communication between our internal computer servers and the internal databases holding your OpenBOM documents uses the latest SSL/TLS implementations (TLS v1.2). We block weak cipher suites and prioritize stronger ones for communication between your client and our service. We only utilize very strong cipher suites between our internal servers. Your data is protected within the AWS virtual private network.

    Disclosure

    We rapidly investigate all reported security issues. If you believe you've discovered a bug in OpenBOM's security, please get in touch with us at security@openbom.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by OpenBOM.

    Privacy

    OpenBOM understands the importance of ensuring the privacy of your personally identifiable information. For more information, please see our Privacy statement.

     

    By using AWS, we also adhere to their Data Privacy policies.