View All Policies

Bidali Security Policy

Last updated on January 30, 2024

Bidali Inc. ("Bidali") uses bank grade security systems and data encryption to protect you and your data. The following controls are in place to guard against any unauthorized access to your personal or financial information. If you suspect that there has been any unauthorized activity on your account, please contact us immediately at support@bidali.com.

Access Controls

We employ tiered, role-based access controls that are enforced at each layer of our infrastructure. Multi-factor authentication is required for access to Bidali infrastructure and is limited to employees on a "need to know" basis.

All Bidali access credentials are strong, rotated regularly, are encrypted locally and are managed by one of the world's leading password management systems. Due to the length and randomness of our passwords, team members typically do not know their actual credentials. This reduces the likelihood of a third party's ability to guess, bruteforce or coherce people into giving up their passwords. We also have monitoring in place to track management and usage of these credentials.

All application and user access logs are stored centrally and monitored. Strong passwords are required for every user account. All passwords are cryptographically hashed using modern, proven standards.

Encryption

All communication between Bidali's public facing websites and our APIs occur over HTTPS or Websockets encrypted using TLS and generally require API key authentication. All data is encrypted at rest within our data centres.

We do not share client data, our TLS private key or access to our TLS private key with any third parties or vendors.

We leverage the content-security policy (“CSP”) and HTTP Strict Transport Security (“HSTS”) features in modern browsers.

Redundancy and Availability

We strive to provide 100% uptime.

Our servers and data are hosted on Google Cloud Platform ("GCP") - one of the world's leading cloud service providers. Our infrastructure is deployed in multiple regions with redundancy for high availability, with regular backup and system monitoring strategies in place. These data centres employ strict security clearance, access and monitoring, and have alternative power backups in the event of power failure. More information on GCP security can be found here.

To protect against the event that a key team member is unable to perform their duties, we employ similar redundancy tactics within our team. Multiple people are always trained on how to perform critical business operations.

Routine Tests

All the components that comprise the Bidali platform are regularly run through a rigorous automated testing suite as well as manual regression testing prior to being available for public use. Internal and external network penetration tests are also routinely performed.

Traffic Controls

The Bidali APIs only allow client requests using strong TLS protocols and ciphers. All communication between Bidali's public facing websites and our APIs occur over HTTPS or Websockets encrypted using TLS and in general require API key authentication.

All of our cloud infrastructure is distributed geographically and resides in an environment that utilizes network address translation (NAT) with strict firewall rules.

Rate-limiting is applied to certain account operations such as login attempts to thwart brute force attacks.

We partner with enterprise vendors to mitigate potential distributed denial-of-service (“DDoS”) attacks.

Bug Reports

We operate a bug bounty program. If you think that you have found a security issue, please submit a report to us at security@bidali.com. You may choose to remain anonymous. Please sign any anonymous email with your publicly verifiable PGP key. We take all reports seriously, please do not publicly disclose the issue until we've addressed it.


If you have any questions or concerns feel free to contact support@bidali.com.