Security
Security is everyone's responsibility. These guidelines help us protect Bscale, our customers, and their data.
Account security
- Use strong, unique passwords — use a password manager (we provide 1Password)
- Enable 2FA everywhere — mandatory for all work accounts
- Never share credentials — use shared vaults in 1Password instead
- Lock your screen — every time you step away
Code security
- Never commit secrets — use environment variables and secret managers
- Review dependencies — check for known vulnerabilities before adding packages
- Follow OWASP guidelines — be aware of the top 10 web security risks
- Report vulnerabilities — if you find a security issue, report it immediately
Data handling
| Data type | Handling |
|---|---|
| Customer PII | Encrypted at rest and in transit; access logged |
| Internal docs | Accessible to employees; no public sharing |
| Source code | Private repositories; branch protection enabled |
| Credentials | Stored in 1Password or AWS Secrets Manager only |
Incident response
If you suspect a security incident:
- Don't panic — but act quickly
- Report immediately in
#securityon Slack - Preserve evidence — don't delete logs or modify affected systems
- Follow the runbook — the security team will guide the response
Phishing and social engineering
- Be skeptical of unexpected emails, especially those requesting urgent action
- Verify requests — if someone asks for access or credentials, confirm via a separate channel
- Report suspicious emails — forward to security@bscale.com
Compliance
We maintain SOC 2 Type II compliance. This means we undergo regular audits of our security practices. Your adherence to these guidelines is part of maintaining that certification.
Remember: Security is a team effort. When in doubt, ask the security team in
#security.