Security at Bowtruss

Security is a continuous practice, not a one-time project. We design systems with the principle of least privilege, default to encryption, isolate sensitive data, and treat security as a shared responsibility across engineering, product, and operations. Every change to production is reviewed, tested, and traceable.

• In transit: all traffic between you and Bowtruss is encrypted using TLS 1.2 or higher. HTTPS is enforced and HTTP requests are redirected.
• At rest: customer data and backups are encrypted at rest using industry-standard AES-256 encryption provided by our cloud infrastructure.
• Secrets: credentials, API keys, and other secrets are stored in a managed secrets vault and never committed to source control.

Bowtruss is hosted on reputable cloud platforms that maintain industry-standard security certifications (including SOC 2 and ISO 27001) for their underlying infrastructure. Production workloads run in segregated environments with network isolation, restricted ingress, and audit-logged administrative access.

• Customer accounts support strong, hashed passwords and we encourage use of strong, unique credentials.
• Role-based access controls (RBAC) within the product restrict what each user can see and do.
• Internal access to production systems is limited to authorized personnel, requires multi-factor authentication, and is logged.
• Access is reviewed periodically and revoked promptly when no longer needed.

We follow secure development practices across the lifecycle:

• Code changes are peer-reviewed before they reach production.
• Automated dependency scanning flags known vulnerabilities in third-party packages.
• Input validation, output encoding, and parameterized queries protect against common web vulnerabilities (OWASP Top 10).
• Authentication and session handling follow established best practices.

Production systems are continuously monitored for availability and anomalous activity. If we detect or are made aware of a security incident, we follow a documented response process to investigate, contain, remediate, and communicate. We notify affected customers without undue delay in accordance with applicable laws and contractual commitments.

Customer data is backed up regularly, encrypted, and stored with redundancy. Backups are tested so we can restore service in the event of a failure. Recovery objectives are defined and reviewed as we grow.

We design our security program around widely-accepted frameworks including the OWASP Top 10, the NIST Cybersecurity Framework, and the trust principles outlined in SOC 2. As we scale, we will pursue formal third-party audits and certifications that reflect our customers' needs.

We welcome reports from security researchers and the broader community. If you believe you have found a security vulnerability in Bowtruss, please report it to us so we can investigate and address it. We ask that you:

• Give us reasonable time to investigate and remediate before any public disclosure.
• Avoid accessing, modifying, or destroying customer data.
• Avoid degrading the service for other users (no denial of service, social engineering, or physical attacks).
• Provide enough detail for us to reproduce the issue.

We will acknowledge receipt, keep you informed of our progress, and credit reporters who help us improve the security of the platform (where they wish to be credited).

For security reports or questions about this page, please contact us: