We are an ISO/IEC 27001 certified Company.
We have been certified to ISO/IEC 27001:2022.
Access Control
Access control is one of the mechanisms used to physically and logically protect the IT environment and assets. Access to information, equipment, documents and secure areas is properly controlled so that only authorized persons have access.
Awareness / Training
All employees participate in information security training and awareness programs on a regular basis, from onboarding and throughout the employee lifecycle at Blip. The Information Security team provides additional security awareness updates via posts on internal communication channels and in presentations during internal events.
Information Security Incident Management
Blip has rules and procedures on incident management and response, which contain the guidelines and procedures to be adopted in the event of Information and Cyber Security incidents.
These guidelines must be known to the employees, suppliers and third parties involved so that they can notify the occurrence of incidents, so that they can be dealt with in a timely manner.
Business Continuity Management
Blip has established procedures for the recovery of critical services and processes in order to ensure that its activities considered essential continue to be carried out and that critical services remain available in crisis situations or unplanned outages.
Policies and Standards
Blip has developed a set of security policies and standards that are shared and made available to all employees and contractors with access to the Organization’s information assets.
Data Security
We protect data using a set of technical, physical and administrative security measures designed to prevent unauthorized access and processing of our systems and data, with access controls based on the principle of least privilege. All our employees are trained to handle data appropriately, in accordance with the guidelines of the Information Security Policy.
Supplier Security
Blip minimizes the risks associated with suppliers by carrying out analyses in the contracting process and, annually, suppliers considered critical (who access our systems or data) are re-evaluated.
PUBLIC INFORMATION SECURITY REPORT
Security in the SDLC
- Static Code Analysis (SAST)
The SDLC pipeline is evaluated by a SAST (Static Application Security Testing) solution to identify any vulnerabilities in the product’s source code and configuration files.
- SCA Analysis – Software Composition Analysis
Checks for vulnerabilities in software components, frameworks and libraries.
- Pull Request Analysis and Approval
When development teams finish coding, whether it’s new implementations or correcting software defects, they commit the code and send pull requests, which are evaluated by competent parties.
- Source code storage
Source code is stored in a private repository with controlled access.
- Segregation of environments
The development, homologation and production environments are separated, each with their own access permissions. The production environment follows the concept of least privilege.
- Encryption of data in transit
Data in transit throughout the platform uses the TLS 1.2 protocol by default (without weak ciphers) and TLS 1.3 for data communication, including data communication with Database Management Systems.
- Secrets management
Sensitive application information, such as API keys and database passwords, is stored in a password vault with activity logs and controlled access.
- File exchange on BLiP
The media that travels on BLiP is subjected to anti-malware analysis (before storage and after storage). Some types of potentially malicious files, such as executables and libraries, are also blocked.
- Pentest execution
Blip periodically hires a third-party company to carry out an independent Pentest on the BLiP product. Blip provides customers, interested and competent parties, when duly applicable and after the signing of the NDA (Non Disclosure Agreement) between the parties, with a letter issued as evidence of the performance of the security assessments (vulnerability analysis and Pentest), i.e. a Letter of Evidence. The details of the Pentest are not disclosed, as this is information classified as Confidential.
Cloud Security
- Minimum privilege
Access to the cloud environment requires at least two-factor authentication (2FA) by default. The production environment has restricted access. Only authorized personnel, considering least privilege and need to know, access data and assets, except that audit data, such as access logs, remain restricted to the competent parties.
- Records of Actions and Activities
Records are kept of actions and activities such as modifying settings, creating and deleting assets in the production environment to enable audits and investigations whenever necessary.
- Monitoring
Actions are monitored via a dashboard where the environment’s compliance with the security policies in force is inspected. Policies are enforced whenever possible.
- Security certifications
The environments of the cloud computing service providers used by Blip meet the strictest security requirements, which are audited and certified by external and third-party entities.
Data Security
- Encryption
Data storage and communication with relational databases are all encrypted at rest and in transit.
- Access and change logs
Access and change logs are kept for auditing purposes, when necessary, for all production relational databases.
- Backups
Backups of production relational databases are carried out at defined intervals and audited.
- Data location
The databases and media files are stored in the cloud in data centers located in Brazil.
Workstation security
- Antivirus
All computers supplied to Blip employees have an advanced antimalware and EDR solution.
- Use of software
Blip employees are not permitted to use software without prior authorization from the relevant parties.
WhatsApp Channel
- BLiP and WhatsApp communication
Each WhatsApp number represents a container in the BLiP infrastructure. Each of these containers has its own encryption, just like a cell phone with an activated number. Blip therefore has no access to any text or media content stored in each active container on the WhatsApp channel.
Networking
- Firewalls
The cloud operation networks in Blip’s environment have firewalls at the edges that can block them because of the risk they pose to the platform.
- IP reputation
IP reputation analysis is carried out on each request received by the platform, so that a request can be blocked because of this condition.
- Network segregation
The production, approval and testing networks are segregated and do not communicate with each other.
Initiatives by-design
- Security by design
During the phases of the SDLC (Software Development Cycle), the Information Security team participates as consultants, seeking to adapt the SDLC to security frameworks and standards, such as OWASP.
- Privacy by design
During the development phase of products, systems or services, the Data Privacy team assesses the risks that activities may pose to data subjects and the possible measures to be adopted to guarantee the principles of data protection and the rights of data subjects. The teams have the autonomy to request privacy assessments whenever necessary.
Awareness
- Onboarding process
New employees are trained by the Information Security team before they start work. On this occasion, the Information Security Policy (ISP) guidelines are presented.
- Training
Teams routinely receive training from the Information Security team on topics related to security and privacy in line with the execution of their activities.
- Communication
The Information Security team uses Blip’s internal communication channels to keep all employees informed about security-related issues, raising awareness and keeping them up to date on the Information Security Policy (ISP).
- Information Security Committee
There is an Information Security Committee with members from different sectors and responsibilities at Blip, demonstrating commitment to the information security management system.
