At bem, security is not an afterthought; it is a core design principle of our platform and company. We understand that you are entrusting us with your most critical data, and we are committed to upholding that trust through a comprehensive, transparent, and rigorous security program. We'll never stop working to earn your trust. This page outlines our commitment to protecting your data at every layer.

Compliance & Certifications

We adhere to industry-leading standards to ensure our security practices are independently verified and meet the stringent requirements of global enterprises.

• SOC 2 Type II: bem is SOC 2 Type II compliant. Our controls for security, availability, and confidentiality are regularly audited by an independent third party to ensure we meet the highest standards for managing customer data.
• HIPAA: For our healthcare partners, bem is fully HIPAA compliant. We have implemented the required administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

Data Encryption

Your data is encrypted at every stage, ensuring it is protected from unauthorized access.

• In Transit: All data transmitted between your applications and bem is encrypted using industry-standard TLS 1.2 or higher. We enforce secure data transmission protocols across all public networks.
• At Rest: All datastores housing sensitive customer data, including production databases and file storage, are encrypted at rest using AES-256 encryption. Access to encryption keys is strictly restricted to authorized personnel with a demonstrated business need.

Infrastructure Security

Our infrastructure is built on world-class cloud providers and hardened against security threats using industry best practices.

• Network Security: We utilize network firewalls, configured to prevent unauthorized access. Access to the production network and firewall configurations is restricted to authorized users on a need-to-know basis.
• Access Control: All remote access to production systems requires multi-factor authentication (MFA) and is restricted to authorized employees via approved, encrypted connections. Privileged access to operating systems and databases is strictly limited and regularly reviewed.
• System Hardening & Monitoring: Our infrastructure is patched as part of routine maintenance and in response to identified vulnerabilities. We utilize infrastructure monitoring and log management tools to identify and alert on events that could impact our security objectives.

Application Security

Security is integrated into every phase of our development lifecycle to ensure our product is secure by design.

• Secure SDLC: We have a formal Systems Development Life Cycle (SDLC) methodology that governs the development, testing, and deployment of our software. All changes are formally documented, tested, reviewed, and approved before being implemented in production.
• Vulnerability Management: We perform host-based vulnerability scans on all external-facing systems at least quarterly. Critical and high vulnerabilities are tracked to remediation according to strict SLAs.
• Penetration Testing: We engage independent third-party security firms to perform penetration tests of our platform at least annually. A remediation plan is developed and implemented to address any findings.

Organizational Security

Our internal security procedures ensure that our team operates with a security-first mindset.

• Access Reviews: We conduct access reviews for all in-scope system components at least quarterly to ensure that access is restricted appropriately.
• Employee Vetting & Training: All employees undergo background checks upon hiring and are required to sign confidentiality agreements. They must complete security awareness training within thirty days of hire and at least annually thereafter.
• Vendor Management: We maintain a formal vendor management program, including a review of critical third-party vendors at least annually, to ensure our partners meet our high security standards.

Privacy & Data Governance

We are committed to being responsible stewards of your data.

• Data Classification & Retention: We have a formal data classification policy to ensure confidential data is properly secured. Data retention and disposal procedures are in place to guide the secure handling of company and customer data.
• Customer Data Deletion: When a customer leaves our service, we purge or remove their data from the application environment in accordance with industry best practices.