Security and Compliance

Last updated February 02, 2022

Bevy cares deeply about availability, integrity and confidentiality of our customers' information. This page provides an overview of some of the security practices put in place at Bevy.

Please reach out to for further information.


All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers.

Our service is built on Google Cloud Platform (GCP). They provide strong security measures to protect our infrastructure and are compliant with all relevant certifications. You can read more about their practices here.

Data Encryption

Encryption in transit

All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). Our SSL Labs Report is available here.

Encryption at rest

All database data is encrypted at rest. User passwords are further encrypted and salted within the database. Different methods of Single Sign-On (SSO) are also supported.

Data Retention

Client data is retained according to client-specific data retention policies.

Risk Management

We have put in place a comprehensive, pragmatic approach to risk identification, analysis and treatment as well as ongoing monitoring and review.

Business Continuity and Disaster Recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. Data storage is set up for high-availability; web servers are configurable for redundancy and traffic-appropriate scalability.


Proper supplier management is an important part of security management strategy. We choose our vendors deliberately and require appropriate security due diligence. As such, vendors are part of our overall risk management process, vendor risk assessments occur at minimum prior to vendor selection, upon relevant changes (such as our own requirements or noteworthy changes in their security posture) or annually.

Secure Development

We develop our platform using best practices from security industry frameworks (such as OWASP).

  • Extensive, automated test coverage
  • Static checks for vulnerabilities and insecure coding
  • Required reviews of all proposed code changes, enforced via technical controls
  • Segregation of environments
  • Security reviews


ISO/IEC 27001:2013

Bevy’s Information Security Management System (ISMS) conforms with ISO/IEC 27001:2013. Compliance is certified via independent auditing. Please view our ISO 27001 certificate.


We are happy to share our most recent SOC 2 Type 2 report with clients and prospective clients who are under mutual NDA. If you are interested, please reach out to


Bevy recognizes the importance of privacy and is fully committed to complying with the requirements of privacy and data protection laws. We have developed internal policies and built our products to address these requirements and protect the privacy and confidentiality of our customers' information. You can read more about our GDPR compliance here.


Bevy operates on a foundation of strong ethical values. As such, we've developed a Whistleblower & Non-retaliation, Non-retribution or Non-intimidation Policy to enable employees, board members, and volunteers (hereinafter affected parties) to report any concerns they may have with regards to accounting matters, conflict of interest issues, disclosure of confidential information, falsification of contracts, reports or records or other serious issues and concerns regarding the operations of Bevy. These reports may be made anonymously and without fear of retaliation at our Anonymous Hotline.

No one, who in good faith reports a violation of the Code of Conduct, shall suffer harassment, retaliation or adverse employment consequences. Any employee who retaliates against someone who has reported a violation in good faith is subject to discipline, up to and including termination of employment. The Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns within the organization and find an appropriate resolution.

Further Information

Please reach out to with further questions and/or feedback.

Last updated on February 2, 2022