Security at Beam
Protecting the entire ecosystem with industry best practices for security
At Beam, security is the absolute highest priority, and we employ many techniques to ensure that our customers’ data is safe and secure. Here are some of the security measures we take to protect and defend the Beam ecosystem.
SOC 2® Type 2 certification
The American Institute of Certified Public Accountants (AICPA) and Service Organization Controls (SOC) reports give assurance over control environments as they relate to the storage, retrieval, processing, and transfer of data. Beam is SOC 2 Type 2 certified by an independent auditor and can provide a copy of the SOC 2 report upon request.
AWS security practices
Beam uses Amazon Web Services (AWS) for all its data storage and product deployment. Beam personnel have no physical access to AWS facilities. Amazon Web Services undergoes recurring assessments to ensure compliance with industry standards and continually manages risk. By using AWS as a data center operations provider, Beam’s data center operations are accredited by:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
You can learn more about AWS security here. You can read about the security practices for the AWS data centers here.
Web application firewall
All Beam site traffic is proxied through Amazon Web Services (AWS) to provide:
- Protection from distributed denial of service (DDoS) attacks
- Blocking of suspicious activity
- Protection from SQL injection and cross-site scripting
- Possibility of quickly blocking IPs or entire countries
Encrypting data in transit
All HTTP traffic to Beam runs over an SSL-encrypted connection.
Encrypting data at rest in databases
Beam’s backend is supported by various AWS-hosted SQL and NoSQL databases to persist data. All data at rest and associated keys are encrypted using the industry-standard AES-256 algorithm. Only after an authorized user is granted access to their data will that subset of data be decrypted. For further details around the encryption at rest, see AWS encryption procedures.
Encrypting data at rest in files
Static files, such as images and other documents, are persisted using Amazon S3 storage. All static files are encrypted before they’re stored, so they are encrypted while at rest.
Password policy and storage
During account creation and password updates, Beam requires a strong password that has 8 characters or more, contains numbers, and contains lowercase and uppercase letters. By leveraging Amazon Cognito, we do not need to store user passwords.
If a user incorrectly enters an account password on multiple attempts, the account will be temporarily locked to prevent brute-force attacks. To further protect account access, two-factor authentication is available to all Beam users and can be enabled via the user account security settings.
Following an email change, password change, or similar sensitive user account changes, the user is always notified so they can quickly respond if the activity is fraudulent.
Request throttling and tracking
Beam’s APIs are protected through WSO2 API Manager, which allows us to configure throttling and tracking based on predefined security limits of the request.
We require all employees to use strong, unique passwords for Beam accounts and to set up two-factor authentication with each device and service where available. All Beam employees are required to use recognized password managers like LastPass or 1Password to generate and store strong passwords. They are also required to encrypt local hard drives and enable screen locking for device security. All access to application admin functionalities is restricted to a subset of Beam staff and is restricted by IP and other security measures. We actively practice the Principle of Least Privilege.
Monitoring and notifications
Beam uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and text notifications in case of downtime or emergencies. We use several independent services for logging and 24-hour notification access.
Since our inception, we’ve invited all Beam customers and anyone on the Internet to notify us at email@example.com of any issues they might find in our application to further strengthen and secure our platform. All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 hours.
In the event of a security breach, we have created procedures for resolute reactions, including turning off access to the web application, mass password reset, and certificate rotations. If our platform is maliciously attacked, we will communicate this information to all of our users as quickly and openly as possible.
General Data Protection Regulation (GDPR)
We provide a data processing agreement for each of our customers to attest that we are handling their customers’ data in compliance with GDPR, and we get a data processing agreement from each of our partners to ensure that any data we share for further processing (such as checking your customers against watchlists) is kept safe in a fully compliant manner as well.
As a data processor, Beam will comply with requests from our customers to delete data from their EU customers in a manner that complies with GDPR and meets legal obligations for data retention.
California Consumer Privacy Act (CCPA)
As with GDPR, Beam will comply with requests from our customers to delete data from their California customers in a manner that complies with CCPA and meets legal obligations for data retention.
Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications
In its interpretation of NYCRR 504, the Department of Financial Services defines the required attributes of a Transaction Monitoring and Filtering Program that must be confirmed annually by the Board of Directors or Senior Officer(s) as applicable. Beam is fully compliant with all sections of the 504 requirements. To request a document describing Beam’s 504 compliance, please contact us at firstname.lastname@example.org.