Security Overview

Last Updated: January 2025

1. Our Commitment to Security

At BidHero, security is not an afterthought—it's built into every layer of our platform. We understand that you're trusting us with sensitive business information, including customer data, pricing strategies, and proprietary bid information. We take this responsibility seriously and have implemented industry-leading security measures to protect your data.

This page provides transparency about our security practices, infrastructure, and compliance measures.

2. Infrastructure Security

2.1 Microsoft Azure Cloud Platform

BidHero is hosted on Microsoft Azure, a world-class cloud platform with enterprise-grade security and compliance certifications. Azure provides:

  • Physical Security: Azure data centers feature 24/7 monitoring, biometric access controls, and multiple layers of physical protection
  • Network Security: Distributed denial-of-service (DDoS) protection, network isolation, and intrusion detection systems
  • SOC 2 Type II Compliance: Azure maintains SOC 2 Type II compliance with regular third-party audits
  • 99.9% Uptime SLA: Azure guarantees 99.9% uptime with automatic failover and redundancy
  • Geographic Redundancy: Your data is replicated across multiple Azure regions for disaster recovery

2.2 Server and Network Security

  • All servers are configured with hardened security settings following CIS benchmarks
  • Automatic security patches and updates applied regularly
  • Firewalls configured to allow only necessary traffic
  • Network segmentation to isolate different system components
  • 24/7 system monitoring and alerting for suspicious activity

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using:

  • TLS 1.2+ (HTTPS): Industry-standard encryption protocol for all web traffic
  • 256-bit SSL Certificates: Extended validation certificates from trusted certificate authorities
  • Perfect Forward Secrecy: Each session uses unique encryption keys that cannot be compromised retroactively
  • HSTS Headers: HTTP Strict Transport Security ensures browsers only connect via HTTPS

3.2 Encryption at Rest

All stored data is encrypted using:

  • AES-256 Encryption: Military-grade encryption for all database records, files, and backups
  • Azure Storage Service Encryption: Automatic encryption for all files, photos, and documents uploaded to BidHero
  • Encrypted Backups: All backup files are encrypted before storage
  • Key Management: Encryption keys are managed securely using Azure Key Vault with hardware security modules (HSMs)

3.3 Customer Portal Security

When you share bids with customers via our portal:

  • Each customer receives a unique, encrypted access token
  • Tokens are time-limited and expire after use
  • Two-factor authentication required for portal access
  • Customer can only access their own bid information
  • All portal sessions are encrypted end-to-end

4. Authentication and Access Control

4.1 User Authentication

  • Strong Password Requirements: Minimum 8 characters with complexity requirements
  • Password Hashing: All passwords are hashed using bcrypt with individual salts (never stored in plain text)
  • Two-Factor Authentication (2FA): Optional 2FA for user accounts, required for customer portal access
  • Session Management: Secure session tokens with automatic timeout after 30 minutes of inactivity
  • Account Lockout: Automatic lockout after 5 failed login attempts to prevent brute-force attacks

4.2 Role-Based Access Control (RBAC)

BidHero implements granular access controls:

  • Users can only access data within their own account
  • Role-based permissions (Admin, Bidder, Analytics, etc.)
  • Team members only see features and data relevant to their role
  • Account owners can manage user permissions and access
  • Audit logs track all user actions and data access

4.3 API Security

  • All API endpoints require authentication tokens
  • Rate limiting prevents abuse and DDoS attacks
  • API tokens expire and must be refreshed regularly
  • Input validation and sanitization on all API requests

5. Application Security

5.1 Secure Development Practices

Our development team follows security best practices:

  • Security Code Reviews: All code is reviewed for security vulnerabilities before deployment
  • Automated Security Testing: Continuous integration includes automated security scans
  • Dependency Scanning: Regular scans for known vulnerabilities in third-party libraries
  • OWASP Top 10 Protection: Protection against common web vulnerabilities (SQL injection, XSS, CSRF, etc.)
  • Input Validation: All user input is validated and sanitized to prevent injection attacks

5.2 Vulnerability Management

  • Regular penetration testing by third-party security experts
  • Vulnerability scanning and patch management program
  • Responsible disclosure program for security researchers
  • 24-48 hour response time for critical security issues

6. Data Protection and Privacy

6.1 Data Isolation

  • Each customer account has logically separated data
  • Database-level isolation ensures customers cannot access each other's data
  • File storage is segregated by account with strict access controls

6.2 Data Backup and Recovery

  • Daily Automated Backups: Full database backups performed every 24 hours
  • Transaction Log Backups: Continuous backups every 15 minutes for point-in-time recovery
  • 30-Day Retention: Backups retained for 30 days with encrypted storage
  • Geographic Redundancy: Backups stored in multiple Azure regions
  • Disaster Recovery Plan: Documented procedures for data recovery with 4-hour RTO (Recovery Time Objective)
  • Regular Testing: Quarterly disaster recovery drills to ensure recovery procedures work

6.3 Data Retention and Deletion

  • Active account data is retained indefinitely while your subscription is active
  • Upon account cancellation, data is retained for 90 days (allowing for reactivation)
  • After 90 days, all account data is permanently deleted
  • You can request immediate data deletion by contacting privacy@bidhero.pro
  • Secure deletion procedures ensure data cannot be recovered

7. Monitoring and Incident Response

7.1 Security Monitoring

  • 24/7 automated monitoring of system health and security events
  • Real-time alerts for suspicious activity, failed login attempts, and anomalies
  • Intrusion detection systems (IDS) monitor network traffic
  • Log aggregation and analysis using Azure Monitor and Application Insights
  • Proactive threat intelligence monitoring

7.2 Incident Response Plan

In the event of a security incident, we follow a documented incident response plan:

  • Detection: Automated systems alert our security team immediately
  • Containment: Affected systems are isolated to prevent spread
  • Investigation: Security team investigates root cause and impact
  • Remediation: Vulnerabilities are patched and systems are restored
  • Notification: Affected customers are notified within 72 hours as required by GDPR
  • Post-Incident Review: We conduct thorough analysis and implement improvements

8. Compliance and Certifications

8.1 Regulatory Compliance

BidHero is designed to help you comply with data protection regulations:

  • GDPR Compliance: Full compliance with European Union General Data Protection Regulation
  • CCPA Compliance: California Consumer Privacy Act compliance for California residents
  • SOC 2 Type II: Azure infrastructure is SOC 2 Type II certified
  • HIPAA-Ready: Azure infrastructure supports HIPAA compliance (upon request)

8.2 Data Processing Agreements

We offer Data Processing Agreements (DPAs) for customers subject to GDPR or other data protection regulations. Contact legal@bidhero.pro to request a DPA.

9. Third-Party Security

9.1 Vendor Security

We carefully vet all third-party vendors and service providers:

  • Vendor security assessments before integration
  • Data Processing Agreements with all vendors handling customer data
  • Regular vendor security audits and reviews
  • Minimum necessary access principle for all vendors

9.2 Third-Party Integrations

When you use third-party integrations (The Home Depot API, Lowe's API), we:

  • Use secure OAuth authentication flows
  • Store API credentials encrypted in Azure Key Vault
  • Never share your BidHero credentials with third parties
  • Limit data sharing to only what's necessary for the integration

10. Employee Access and Training

10.1 Employee Security

  • Background checks for all employees with data access
  • Signed confidentiality and data protection agreements
  • Principle of least privilege—employees only access data necessary for their role
  • Multi-factor authentication required for all internal systems
  • Regular security awareness training for all staff
  • Immediate access revocation upon employee departure

10.2 Support Access

When you contact support:

  • Support staff can only access your account with your explicit permission
  • All support sessions are logged and audited
  • Support staff cannot view sensitive fields (passwords, credit cards)
  • Session access is time-limited and automatically expires

11. Your Security Responsibilities

11.1 Best Practices

While we provide robust security, you play an important role in protecting your account:

  • Use Strong Passwords: Create unique, complex passwords for your BidHero account
  • Enable Two-Factor Authentication: Add an extra layer of security to your account
  • Keep Credentials Private: Never share your password or session tokens
  • Use Secure Networks: Avoid accessing BidHero on public Wi-Fi without a VPN
  • Keep Software Updated: Use updated browsers and operating systems
  • Review User Access: Regularly audit team member access and remove inactive users
  • Report Suspicious Activity: Contact us immediately if you notice unauthorized access

11.2 Secure Customer Portal Sharing

When sharing bids with customers:

  • Only share portal links with intended recipients
  • Verify customer email addresses before sending
  • Inform customers about the two-factor authentication process
  • Archive or delete old bids that are no longer needed

12. Security Questions and Reporting

12.1 Report a Security Issue

If you discover a security vulnerability or have concerns about the security of our platform, please contact us immediately:

Security Team

Email: security@bidhero.pro

Response Time: Within 24 hours for critical issues

We appreciate responsible disclosure and will work with security researchers to resolve issues promptly.

12.2 Security Questions

For general security questions or to request additional information about our security practices:

Email: security@bidhero.pro

Support: support@bidhero.pro

12.3 Security Documentation

Enterprise customers can request additional security documentation, including:

  • SOC 2 reports (under NDA)
  • Penetration test summaries
  • Data Processing Agreements (DPA)
  • Business Associate Agreements (BAA) for HIPAA

Contact enterprise@bidhero.pro for more information.

13. Continuous Improvement

Security is not a one-time effort—it's an ongoing commitment. We continuously improve our security posture through:

  • Regular third-party security audits and penetration testing
  • Staying current with emerging threats and vulnerabilities
  • Implementing new security technologies and best practices
  • Participating in security research and industry forums
  • Learning from security incidents (ours and others)
  • Soliciting feedback from security researchers and customers

14. Updates to This Page

We will update this Security Overview periodically to reflect changes in our security practices, infrastructure, or compliance certifications. Check the "Last Updated" date at the top of this page to see when changes were made.

Material changes to our security practices will be communicated via email to all active customers.

Back to Home
Privacy Policy Terms of Service