Security at Bloomreach
Ensure stability by enabling your team to create, send, test, and analyze campaigns, all within the same user-friendly platform.
Think Outside the Search Box
On our platform, we protect your and your customers’ information, identities, applications, and devices by adopting a security-at-design approach. We encrypt data at rest and in transit between our facilities, ensuring that it can only be accessed by users with authorized roles. Customer data is your data, not Bloomreach’s.
We emphasize transparency, regulatory compliance, and privacy-by-design in our data privacy approach. Bloomreach embeds privacy protections directly in its products and processes, supporting global requirements like GDPR, CCPA/CPRA, and other regional laws.
Internal governance is reinforced by a dedicated Data Protection Officer (DPO) who oversees privacy compliance, while technical and organizational safeguards help protect personal data.
Bloomreach maintains a portfolio of third‑party security and compliance certifications, including an annual SOC 2 Type II report, GDPR compliance certification, and several ISO accreditations, such as ISO/IEC 27001, 27017, 27018, 9001, and 22301. Bloomreach also undergoes annual pentests for each product pillar performed by a third party.
These reports and pentests validate the effectiveness of our security, privacy, and availability controls. Our certifications underscore Bloomreach’s ongoing commitment to achieving the highest industry standards and regulatory requirements.
To review the latest reports and pentests, please visit our Trust Portal and request access.
We create a strong security culture here at Bloomreach, as each and every employee is an essential part of our defense against potential breaches.
This culture is present at all stages, including the hiring process, employee on‑boarding and ongoing training, and company events. All new employees are required to agree to our NDA and go through mandatory training. This shows our commitment to keeping the data of our customers secure.
The developers in the IT segment receive instructions on topics like best coding and development practices, the principle of least privilege when granting access rights, etc. The IT department also attends technical presentations on security‑related topics, and receives regular updates on the newest issues from the Cybersecurity space in our security channel.
Security Management
Endpoint Security
We ensure all of our endpoint devices are protected according to our Endpoint Security Policy. This includes disc encryption, malware protection, guest access disabled, firewall, and regularly updated operating systems. In addition, we perform regular checks to make sure that we maintain this high level of security.
Vulnerability Management
Bloomreach has a vulnerability management policy that includes processes such as regular web scans and scans for potential threats. Once a vulnerability requiring our attention has been identified, it is tracked and assigned for resolution.
Quality Assurance
It is vital for us to properly test all new features before implementing them so that we make sure no unexpected vulnerabilities are introduced to the application. The QA team guarantees that all new additions to our application are bug‑free prior to release. They also test private instances for our fresh clients just before they get into the hands of our Client Services team.
Monitoring
Our security monitoring is performed on information collected from internal network traffic and the knowledge of our vulnerabilities. Internal traffic is checked for any suspicious behavior. Network analysis and examination of system logs in order to identify unusual behavior are a vital part of monitoring. We place search alerts on public data repositories to look for security incidents and analyze system logs.
Incident Management
Bloomreach has well‑defined incident management processes for security events that may affect the confidentiality, integrity, or availability of our clients’ resources or data. If an incident occurs, the security team identifies it, reports it, assigns it, and gives it a resolution priority based on its urgency. Events that directly impact our customers are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.
Reassurance
To ensure our Security Management is transparent and the details are shared with those who need to see it the most, we also hold a SOC 2 Report. This report can be provided on request under an NDA and gives an overview of Bloomreach’s technical and organizational security measures.
Protecting Our Clients' Data
Data Encryption
Whenever we store data in the cloud, there are several layers of encryption. By default, data is encrypted both at rest and in transit. Additional security controls are implemented depending on the requirements of our customers.
Without any further implementations, our cloud providers encrypt and authenticate all data in transit at one or more network layers when data moves outside physical boundaries not controlled by or on behalf of the cloud provider. Google and Amazon use the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. Transport Layer Security (TLS) is used to encrypt data in transit for transport security.
GDPR Compliant
Bloomreach supports our customers in finding the best ways to be compliant with the GDPR. The engagement pillar works in such a way that the clients have complete control of consent management (they set a purpose for processing), data subject rights management (they can download all customer data, anonymize a customer, or delete a customer).
Bloomreach has access management that enables the users to select specific data types as PII and then set/revoke permission to see PII per user. For every event, it is possible to manage its retention and set expiration separately. In addition, data API enables the clients to integrate their systems to enable fast execution of data subjects requests.
