Security Policy

Introduction

Birdie is a data-first company and has data at its heart. Our top priority since day one has been to keep the data our customers trust us with safe and secure. While we can’t go into all the nitty-gritty details, we firmly believe in keeping our customers well-informed about the broad measures we undertake to ensure the protection of their data. If you have any specific security concerns, feel free to reach out to us at [email protected] or via our Anonymous whistleblower channel.

This document is intended to complement our Terms and Privacy Policy.

Data Center Security

  • All Birdie servers and data are stored on the infrastructure provided by the leading cloud companies including Amazon Web Services and Google Cloud Platform.
  • We therefore benefit from the significant investment made by these companies into security.
  • All data is always stored exclusively within the USA.
  • We have multiple levels of backup processes to minimize data loss in case of an attack or system failure.
  • All backups are encrypted and stored in secure cloud locations within the USA.
  • All traffic to and from our data servers is conducted over HTTPS and is thus encrypted.

 

Application Level Security

  • Birdie account passwords are hashed. Our own staff can’t even view them. If you lose your password, it can’t be retrieved—it must be reset.
  • All login pages (from our website and mobile website) pass data via TLS.
  • The entire Birdie application is encrypted with TLS.
  • We use Auth0 for Login and session management functionality and thus benefit from their extensive security measures.
  • We perform regular security penetration tests with different vendors. The tests involve high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
  • We minimize and anonymize, whenever possible, the amount of personally identifiable data collected about our customers’ users with PII Detection for clients who have it enabled. 
  • The PII Detection runs in Birdie’s cloud infrastructure, so it doesn’t share data with additional external providers and allows the customization of patterns to be detected, covering PII (Personally Identifiable Information), PHI (Protected Health Information) and PCI (Payment Card Industry) and replacing sensitive data with placeholders.
  • Birdie system can fully function without any personally identifiable data being passed to our systems and we highly recommend the use of internal ids instead of personal data, however, some customers may choose to do so.
  • Where possible, we rely on well-established open-source software to avoid any potential for malware.

 

Internal IT Security

  • We mandate that our team members use secure passwords across all third-party software that are used by them. In addition to that, we employ 2-factor authentication in any system that has this function available.
  • We also protect every computer in use within Birdie with a secure password and additional security measures where possible.
  • We mandate full disk encryption and the latest versions of anti-virus and firewall software across every computer used by the Birdie team to access client data.
  • Every employee undergoes security training to understand the importance of protecting customer data.