Overview

Backflipt Security

Backflipt is dedicated to delivering a highly secure and reliable integration and business automation service. Our security posture ensures the confidentiality of customer information and guarantees its availability whenever needed. At Backflipt, we leverage proven, tested, and best-in-class security tools, technologies, policies, and procedures

Group 13
Compliance

SOC 2 Type 2

The Service Organization Controls 2 (SOC 2) Type 2 audit is conducted by a third-party evaluator certified by the American Institute of CPAs (AICPA). This audit evaluates the effectiveness of a service organization's controls based on the AICPA's Trust Services Principles, focusing on security, availability, processing integrity, privacy, and confidentiality. here

Compliance

Network Security

The Backflipt website is accessible exclusively over HTTPS, ensuring that all traffic is encrypted and protected from interception by unauthorized third parties. Backflipt adheres to current best practices for security, including the use of robust encryption algorithms.

To communicate with third-party systems, Backflipt employs secure protocols, primarily HTTPS, with support for others like SFTP and FTPS. For on-premises systems, access requires the installation of an on-premises agent behind the firewall. This agent communicates with Backflipt over an encrypted link using TLS 1.2.

Backflipt's multi-tier architecture separates internal application systems from the public internet. Public traffic to the website passes through a Web Application Firewall (WAF) before being routed to internal systems on private subnets. Both internal and external network traffic use secure, encrypted protocols. All network access—within the data center and between the data center and external services—is restricted by firewalls and routing rules. Additionally, all network activity is logged in a centralized, secure logging system.

Data Security

Data in Transit

All data in transit is encrypted and secured using Secure Sockets Layer (SSL). Backflipt exchanges information exclusively with services authorized by its users.

Workflow Data

When business automation is executed, data from applications is processed through various steps within the flow. This data is deleted upon completion of the flow execution. However, for debugging purposes, both the data and execution logs can be retained for up to 30 days.

Authentication Data

Users authenticate with these applications to enable business automation to process data on their behalf. The authentication information includes OAuth access tokens, API keys, or credentials. This data is encrypted using 256-bit encryption and securely stored. It is deleted when the user revokes authentication for an application

Personal Account Information

Any personal details, such as usernames and email addresses required to create an account, are stored as long as the user account remains active. The tenant administrator has full control over user account management, including adding and deleting users. At any time, a tenant administrator can request the deletion of all user records, and this data will be permanently removed from our systems.

Data at Rest

Data at rest is stored in an encrypted format using AES-256-bit encryption. The Backflipt Security Management software handles decryption requests exclusively from the Backflipt service.

We take all necessary precautions to protect your personal information and data.

We do not sell your data.

We will never email your contacts or post to social networks without your explicit permission

Account Login

User account passwords are stored securely using robust hashing and salting techniques.

Users can optionally enable Two-Factor Authentication (2FA) with an authenticator app, such as Google Authenticator or Microsoft Authenticator.

Backflipt supports integration with third-party SAML-compliant SSO systems, enabling enterprises to manage access to Backflipt and other applications while applying custom authentication schemes and policies.

Single Sign-On (SSO) is also supported using third-party credentials, including Google and Microsoft Office 365.

Backflipt enforces automatic session logout after a set period. Enterprises can configure the timeout duration to align with their security requirements.

When business automation connects to remote systems using user-supplied credentials, it does so via OAuth2, eliminating the need to store credentials in the Backflipt system. If a remote system requires credential storage, they are encrypted using a 256-bit key

Data Privacy

Backflipt has a public privacy policy that outlines the types of personal information collected, how it is handled, and the privacy rights of our customers  

Hosting Environment

Backflipt utilizes AWS infrastructure hosted in the USA. Both Amazon and Google uphold high security standards for their data centers. For more information about the security measures implemented by Amazon to secure their infrastructure, please visit the AWS Security Page.

Application Development and Testing

Backflipt follows a comprehensive software development lifecycle process that integrates security and privacy considerations. The process includes design and code reviews, as well as unit and integration testing.

Development staff receive regular training on secure coding practices from qualified third-party experts. Additionally, regular internal vulnerability scans are conducted, and an annual penetration test of the website is performed by a qualified third party.

Incident Response

Backflipt has implemented a range of security and monitoring tools for its production systems. These tools continuously monitor the security status of the systems, with automated alerts configured for security and performance issues. Although a breach of our systems is not anticipated, Backflipt has established a Security Incident Response Plan outlining roles, responsibilities, and procedures to address any actual or suspected security incidents.

High Availability

Backflipt has established a comprehensive Business Continuity and Disaster Recovery program that includes contingency planning for natural disasters and other potential disruptions. IT measures to ensure high availability include running services across multiple redundant cloud Availability Zones and replicating the application database to a standby system.

The current system status and recent uptime statistics are always accessible at status.backflipt.com.

Our Organization

All employees undergo background checks that include education, employment, and criminal history verification. Employment at Backflipt requires employees to provide written acknowledgment of their roles and responsibilities regarding user data protection and privacy.

Backflipt enforces a mandatory information security training program for all employees and employs knowledgeable full-time security personnel.