Security at BIMWorkplace

Infrastructure

• Hosting: certified cloud providers operating ISO/IEC 27001, SOC 2 Type II and equivalent compliant data centers, with EEA region as default.
• Encryption in transit: all traffic uses TLS 1.2 or higher with modern cipher suites; HSTS enforced on web endpoints.
• Encryption at rest: customer data, backups, and snapshots are encrypted with AES-256.
• Network isolation: private networking, security groups, and least-privilege egress rules between tiers.

Access Control

• Authentication: per-user accounts with strong password policy and support for SSO via OAuth/SAML on enterprise plans.
• MFA: multi-factor authentication available for all users; enforced for administrative roles.
• RBAC: granular role-based access control at organization, project, and workplace level.
• Least privilege: internal access to production is limited to a small, audited group of engineers and gated by MFA + approval.

Data Protection

• Tenant isolation: customer data is logically isolated per organization and per project.
• Backups: automated, encrypted backups with defined RPO and RTO; periodic restore drills.
• Retention & deletion: data is retained per the Subscription Agreement; secure deletion follows account closure within the contractual window.

Compliance

• GDPR-aligned processing; LGPD where applicable.
• Data Processing Agreements available on request, including Standard Contractual Clauses (SCCs) for international transfers.
• Vendor program: subprocessors are reviewed for security and data protection before onboarding.
• ISO/IEC 27001 certification on roadmap.

Application Security

• Secure SDLC: code review on every change, automated testing, and CI/CD with required checks before deployment.
• Dependency management: automated vulnerability scanning of dependencies and container images.
• Secrets management: credentials and keys stored in dedicated secret stores, never in source control.
• Penetration testing: independent third-party tests performed on a recurring basis; findings tracked to remediation.
• Vulnerability disclosure: responsible disclosure encouraged at security@bimworkplace.com.

Monitoring & Incident Response

• Centralized logging and monitoring across application, infrastructure, and identity.
• 24/7 alerting for security and availability events.
• Documented incident response runbooks with defined severity levels and communication paths.
• Customer notification of confirmed personal data breaches without undue delay and within 72 hours, as required by GDPR.

Business Continuity

• Multi-AZ architecture for core services with automated failover where applicable.
• Documented disaster recovery plan, periodically tested.
• 99.9% monthly uptime target as defined in the Subscription Agreement.

Customer Responsibilities

• Use strong, unique passwords and enable MFA.
• Manage user provisioning, roles, and offboarding promptly.
• Avoid uploading data prohibited by the Acceptable Use Policy.
• Report suspected security issues to BIMWorkplace immediately.

Contact

Security questions, vulnerability reports, or DPA requests: security@bimworkplace.com