Trust is a Critical Asset
to Our Success
Security is at the forefront of everything we do at Built – we take security very seriously.
This is not just about securing our customers; it is also about securing our platform and our customers’ data on that platform. Built has a dedicated Security team comprised of leadership, senior engineer, and analyst roles; however, Built’s philosophy is that it is the role of every Team member to look to the security of the company and our client’s trusted information.
Built is committed to not breaking the trust with its prospects, customers, or business partners by publicly releasing identifiable information about their data, their security, their vulnerabilities, or any proprietary information without their consent. We take the confidentiality of that information seriously being a customer-first organization.
Built maintains both SOC 1 and SOC 2 Type II compliance. Each year Built undergoes AICPA/SOC audits by an independent third-party audit firm that is qualified to conduct and validate such audits.
Data Center Security
The data centers in which Built operates meet the most demanding security requirements. Our service platform runs 100% in highly secured data centers located in the continental United States and have several certifications, including SOC II type II, SOC 1/SSAE16/ISAE 3402 (Formerly SAS70), and ISO 27001. We deploy and maintain best practices to secure that infrastructure including network and data security, and customer data segregation.
Security Best Practices & Controls:
Administrative, Physical, and Technical
Built maintains a holistic security program. The following provides insight into a selection of the primary security related best practices and controls Built maintains as part our program:
- Security awareness training – at onboarding and annually thereafter, including role-based training, phishing exercises and additional training as needed or part of a campaign
- Intrusion detection and prevention
- Encryption at rest (e.g., AES-256) and in-transit (e.g., TLS v1.2 and greater)
- Multi-factor Authentication
- Data Loss Prevention (DLP) monitoring and alerting
- Least-privilege access controls
- Routine audit of personnel and service access rights and permissions
- Continuous vulnerability scanning of infrastructure assets and application code base, including SAST, DAST, and third-party code dependencies. Validated vulnerabilities are classified in alignment with NIST’s Common Vulnerability Scoring System (CVSS)
- Secure Software Development aligned with Open Web Application Security Project® (OWASP) recommendations and best practices
- Annual review, update, and communication of security policies and procedures
- Strong physical security controls employed for company facilities
- Quarterly grey-box penetration testing – once annually by an independent third-party firm, and three times annually via internal Red Teaming exercises
- Internal CIS Top 20 security risk assessment conducted annually
- Formalized near-real time backup protocols with a defined and testing RPO
- Secure service authentication protocols and unique credential management solutions
- Secure encryption key provisioning, storage, and management solutions and protocols
- Network segmentation and data segregation best practices used
- Responsible logging practices to support investigation and remediation activities
- Robust third-party security risk assessment (TPSRA) conducted on all prospective service providers (aka “fourth parties”)
- Continuous cyber risk monitoring of third-party service providers in Built’s supply chain
We believe in the responsible disclosure of vulnerabilities to our service and will reply to all reported vulnerabilities that we are able to internally validate via email at firstname.lastname@example.org. We will respect confidentiality of all reporting parties and request that as much information as possible is sent including: a high-level overview of vulnerability discovered, sample procedures to reproduce, and your appropriate contact information.
Client and Strategic Partner Due Diligence Requests
Built understands that it is standard practice, and many times required via regulation, for its prospective and current clients and partners to conduct reasonable due diligence activities to assess Built’s posture with respect to security, privacy, financial stability, and general operations. Built believe such due diligence activities are wise to undertake and conducts its own assessments of vendors in its supply chain.
We have found that such activities are rarely standardized, often require manual provision of artifacts, including completion of one-off or custom questionnaires consisting of hundreds of questions, that may cause the procurement and sales processes to stall and/or materially delay. This can result in the interruption of clients and partners receiving the services needed to support their operational goals due to a manual back-and-forth conversation via third-party portals, email, and conference calls.
Built has proactively partnered with security risk leader UpGuard (upguard.com) to streamline and facilitate an efficient risk review of Built. Via UpGuard Built provides clients and strategic partners with Built’s current CyberRisk score along with access to Built’s Shared Profile, which contains copies of all due diligence artifacts commonly requested and multiple pre-completed and current information security related questionnaires. The information contents in Built’s UpGuard Shared Profile allows a client’s and partner’s compliance, risk, and security personnel to conduct their policy or regulatory required due diligence activities on Built in the most efficient and timely manner.