Trust is a critical asset to our success.
Security is at the forefront of everything we do at Built. Adequately securing our platform and protecting your data is a fundamental part of earning trust. Built maintains a dedicated security team tasked with establishing security best-practices, monitoring our environment, responding to threats and continuously improving our security posture, but we also believe that it is the role of every Built employee to play a role in creating a secure business environment and provided service.
Built is committed to upholding trust with our prospects, clients, or business partners by never publicly releasing identifiable information about your data, security posture, vulnerabilities, or any proprietary information without your consent. Being a customer-first organization, we take the confidentiality of this information seriously.
Built maintains both SOC 1 and SOC 2 Type II compliance. Each year we undergo AICPA/SOC audits by a qualified and independent third-party audit firm. These audits validate our security program by testing our security controls and ensuring we’re continuing to meet the high bar we’ve set.
The data centers in which Built operates meet the most demanding security requirements. Our service leverages highly secured data centers located in the continental United States – these data centers hold certifications including SOC 1, SOC 2 and ISO 27001. We utilize best practices in configuration management to secure our infrastructure, including network and data security, along with client data segregation.
Built maintains a holistic security program that includes:
- Annual risk assessments designed to identify potential threats and compensating controls.
- The use of strong encryption for data at rest and in-transit throughout our service infrastructure.
- Centralized identity management with SSO and multi-factor authentication.
- Data loss prevention (DLP) monitoring and alerts.
- Access management workflows based around least-privilege principles.
- Regular audits of access rights and permissions for our infrastructure and systems.
- Continuous vulnerability scanning of our service infrastructure, codebase, endpoints and related systems.
- Secure software development practices aligned with Open Web Application Security Project® (OWASP) recommendations and best practices.
- Annual review, update, and communication of security policies and procedures.
- Strong physical security controls for Built company facilities.
- Regular penetration testing, both by external third-party testing firms as well as our own internal security team.
- Continuous data backups utilizing multi-region redundancy.
- Secure service authentication protocols.
- Secure encryption key management and configuration.
- Network segmentation and client data segregation.
- Comprehensive audit logging practices to support incident investigation and remediation activities.
- A vendor management program designed to assess risk associated with new and existing vendors and ensure they are upholding Built standards.
People are the first line of defense at Built when it comes to security. We ensure that our employees are thoroughly trained and aware of the threats targeting them on a daily basis. Our security awareness training modules are presented to employees when they start working atBuilt, and regularly thereafter through our training platform.
In order to meet the security due diligence needs of our clients, Built maintains an information security program package available through our Security Trust Center for reference. Existing and potential clients can review overview documents, audit reports and other security-related materials following an access request and click-through NDA.
We believe in the responsible disclosure of vulnerabilities found within our service and will evaluate any valid vulnerability reports that we receive via email at [email protected]. We respect the confidentiality of all reporting parties and request that submissions include:
- A high-level overview of the vulnerability discovered.
- Sample procedures to reproduce evidence for the vulnerability.
- Your valid contact information as a reporting entity.