Blueshift: Privacy, Security & Compliance
Blueshift's response to Questions on Privacy, Security & Compliance in the RFP Guide
Overview: Blueshift's application is built for enterprise customers with strong security and privacy needs around Personally Identifiable Information (PII). We comply with regulations for GDPR, CCPA & HIPAA.
Blueshift takes security, data integrity, and privacy seriously. We achieve this by following a philosophy of “security by design”:
-
Architecting the application & network from the ground up with security in mind
-
Ensuring compliance with customer data & privacy laws
-
Mandating regular employee training with adequate processes & controls for checks & balances
-
Holding ourselves accountable with regular 3rd party audits & testing
Blueshift's Responses to Questions on Privacy, Security & Compliance
Privacy & Compliance
1. Describe how your solution supports customer data privacy preferences and adheres to privacy compliance regulations (e.g., CCPA, GDPR, HIPAA).
Security and trust are at the core of our values, and therefore, we provide multiple capabilities, safeguards, and processes to ensure the security and privacy of our customers’ data. Blueshift undergoes an annual security audit as part of our SOC2 compliance. In addition, we have customers in the financial industry who have performed stringent due diligence on our platform and leverage Blueshift for their critical customer transactional and marketing messaging.
From a data privacy standpoint, Blueshift participates in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework administered by the U.S. Department of Commerce. Blueshift’s privacy policy is outlined at: blueshift.com/privacy_policy/.
We also have a data center in the EU to ensure EU customers' data never leaves the EU region. Blueshift's global regions data center is outlined at: help.blueshift.com/hc/en-us/articles/4404624313235-Blueshift-global-regions
We are SOC2 Type 2 compliant and also compliant with both CCPA and GDPR compliance help.blueshift.com/hc/en-us/articles/360003291413-GDPR-Compliance.
We are HIPAA compliant and independently audited to ensure that we have implemented the necessary controls to comply with the HIPAA Security, Privacy, and Breach Notification Rules.
2. Describe how your solution manages Personally Identifiable Information (PII) such as name, address, email, and phone number in ways that comply with privacy and security regulations in the regions where it is deployed.
Blueshift stores all PII data in a compliant manner and performs regular penetration testing by a 3rd party security firm as part of our SOC2 compliance. Only user data that will be used for driving marketing programs and strategy is imported into the Blueshift platform. Sensitive PII data (i.e., SSN, credit card number, etc.) should not be sent to Blueshift.
We are SOC2 Type 2 compliant and also compliant with both CCPA and GDPR compliance help.blueshift.com/hc/en-us/articles/360003291413-GDPR-Compliance.
Blueshift’s privacy security team, led by our Chief Security Officer, includes a dedicated director for security operations and a supporting staff of security engineers who are responsible for responding and addressing customer questions regarding privacy and security and staying ahead of the most recent privacy and security regulations to insure that we are always up-to-speed and compliant with the latest local regulations and compliancy requirements.
3. Describe your solution's functions to store and enforce customer consent for data usage to comply with privacy regulations.
Blueshift is compliant with both CCPA and GDPR and offers various features to comply and enforce user consent for data usage to comply with these privacy regulations, including the ability to ensure the deletion and automatic suppression of customer data per a customer's request. More specifically, you can use our API endpoint for deleting user data and for automatic suppression. Calling this endpoint for a user will ensure that all personal data related to the user is deleted from the index of user data that Blueshift stores for our customers. Any future data related to the user will also be suppressed. As a result, the data cannot be used in any manner for any marketing communications within the Blueshift platform.
Additional details on this API endpoint can be found at developer.blueshift.com/reference/post_api-v1-customers-forget
Security
4. How is customer data stored and protected?
Blueshift stores data in our Virtual Private Cloud (VPC) on AWS. This provides network level isolation, so data cannot be sniffed or tapped between other AWS clients. Blueshift also maintains data isolation between different customers’ data at multiple levels as defined below so that each Blueshift account will be isolated and siloed from each other to ensure data privacy.
- Indexed user data is maintained in a separate index data store per client
- Data at rest in S3 is maintained in separate folders with appropriate access controls
5. Does your solution provide user-level and role-based access controls as well as custom user management to determine what data is available to which user?
Yes, Blueshift offers several pre-built roles that each user can be assigned that limit their permissions within the platform. Administrators all have the ability to create custom roles with specific permissions to meet specific user permissioning requirements, if default roles are insufficient.
Additional information can be found in Blueshift's documentation at help.blueshift.com under the topic: Users & User Roles
6. Does your solution undergo stringent security audits? Can you provide certifications (e.g., SOC2)?
Yes, Blueshift undergoes an annual security audit as part of our SOC2 Type 2 compliance. In addition, we have customers in the financial industry that have performed stringent due diligence on our platform and leverage Blueshift for their critical customer transactional and marketing messaging. Blueshift also undergoes regular penetration testing by a 3rd party security firm.
Blueshift’s underlying architecture (AWS) maintains security audits for the hardware, facilities, security, etc.
7. Does your solution encrypt data in transit and at rest?
Yes, Blueshift supports encryption in transit and encryption at rest. More specifically, all customer data is stored in a virtual private cloud that is accessed over an encrypted VPN with 2FA. Access to the VPN is protected through multi-factor authentication. Archived data is encrypted at rest using AES256.
8. Does your solution maintain audit trails for interactions with the system?
Yes, Blueshift offers a robust audit trail feature for Administrators that captures and tracks interactions for each user within the Blueshift platform.
9. Does your solution support Single-Sign On?
Yes, Blueshift supports SAML 2.0 federated single sign-on. Additional information can be found in Blueshift's documentation at help.blueshift.com under the topic: SAML SSO configuration in Blueshift
Updated 5 days ago