Securing your data is our highest priority. We have implemented industry-leading security measures to protect your company’s information.
SOC 2 Type 2 Compliance
We undergo an annual SOC 2 Type 2 audit conducted by AICPA-certified auditors. A summary report is available upon request, and the full report can be provided after signing our mutual non-disclosure agreement (MNDA).
Please note that the MNDA must be signed as-is in order to receive our SOC 2 report.
Infrastructure and Data Protection
Built operates on Amazon Web Services (AWS) within a Virtual Private Cloud (VPC), preventing direct access to data-storing servers.
Data Encryption
In Transit: All data transmitted between AWS servers and your device is encrypted using TLS 1.2+ and 256-bit SSL, ensuring every page view from login to logout happens within a secured session.
At Rest: As data is stored on our AWS servers, it is encrypted using industry-standard AES-256 encryption using AWS RDS DB instances and S3 encryption.
Key Management: Encryption keys are managed via AWS Key Management Service (KMS) and automatically rotated for enhanced security.
Billing and Payments
Most transactions are processed via electronic wire transfer or check for optimal security. Alternative payment methods are processed via Stripe.com, a PCI DSS Level 1 certified payment provider, the most stringent level of certification available in the payments industry.
Organizational Security Controls
All Built team members undergo background checks prior to hire.
Security awareness training is required for each team member within 30 days of hire and annually thereafter.
Device and Access Security:
All company-issued devices are managed under a Mobile Device Management (MDM) system, enforcing automatic security updates and patching to ensure the latest protections.
Multi-Factor Authentication (MFA) is required for all admin and developer accounts.
Strong password policies guard against intrusive access attempts.
Least-privilege access management restricts access to only necessary personnel.
Remote wipe capabilities protect data stored on lost or stolen devices.
All privileged access is revoked immediately upon an individual’s termination.
Secure Development
Built follows a Secure Software Development Lifecycle (SDLC), including secure system design, coding, testing, and end-of-support/end-of-life standards.
Vendor Management
Our formal Vendor Management Program helps identify, monitor, and manage associated security risks by maintaining a vendor inventory, enforcing security and privacy requirements, and conducting annual reviews.
Network Security
Our production environments are protected from external threats using a multi-layered approach, including:
Automated DDoS protection guards against denial-of-service attacks.
Web application firewalls protect against malicious traffic.
DNS security and filtering mitigate DNS-based attacks.
VPC network isolation strictly enforces access control policies.
Threat Detection
We take a proactive approach to threat detection to ensure the security and integrity of our systems, including:
External penetration tests and frequent internal security reviews.
Antivirus and anti-malware protection are enabled on all production systems.
File integrity monitoring is also in place to detect unauthorized changes to critical system files.
End-User Authentication and Account Data
We prioritize secure and flexible end-user authentication to protect customer data and control access at every level.
We support Single Sign-On (SSO) via OpenID Connect and password-based authentication. Strong passwords are enforced, and all passwords are securely hashed and salted.
Configurable, role-based permissions ensure individuals are granted the appropriate level of access, minimizing exposure to sensitive data. Learn more about managing user roles and permissions in Built.
We use a multi-tenant architecture with logical separation to ensure no cross-customer data access is possible.
Upon contract termination, we securely delete customer data as specified in our data retention and deletion policy.
Disaster Recovery, Resiliency, and Data Availability
Our formally documented Business Continuity and Disaster Recovery Plan outlines procedures for ensuring service continuity in the event of disruptions. Our multi-region cloud architecture with auto-failover, redundant instances, and load balancing provides high availability and resilience against data center failures. Point-in-Time Recovery enables precise data restoration, while regular BC/DR testing validates our recovery strategies to meet Recovery Time and Recovery Point Objectives.
If you have any additional questions or need assistance, please contact our Customer Success Team.