Security
Report a vulnerability
Send security reports to security@breakingbandwidth.com. Encrypt with PGP if your report contains sensitive details.
We acknowledge receipt within three business days, aim to validate or dispute within fourteen calendar days, and follow a coordinated-disclosure model. The full policy is at /vulnerability-disclosure-policy.
Safe-harbour applies to good-faith reports that follow this policy. We do not operate a bug-bounty programme; researchers who choose to be credited will be credited publicly when their report leads to a fix.
Contact
- Security (primary)
- security@breakingbandwidth.com
- Security (fallback)
- hello@breakingbandwidth.com
- PGP fingerprint
- to be published — request the key by email
- security.txt
- /.well-known/security.txt
Posture summary
Detailed posture (auth model, tenancy isolation, data classification, residency, audit, incident response) is in our Security Summary, available on request to prospective customers and vendor-risk reviewers. Highlights:
- Identity and access delegated to WorkOS — SSO, SCIM, MFA per the customer organisation's policy.
- Four-layer tenant isolation: transport, service, repository, and Postgres Row-Level Security with split database roles.
- EU-primary data residency. US optional for US-domiciled customers on request.
- TLS 1.3 in transit, AES-256 at rest, per-tenant envelope encryption for customer secrets.
- Subscriber identifiers (IMSI, MSISDN, IMEI, SUPI, GUTI) redacted at finding construction; raw values held in a separate, access-logged store.
- SOC 2 Type I and ISO/IEC 27001:2022 on the roadmap.
Sub-processors
We engage sub-processors to deliver the service. Material changes are announced here with at least thirty days' notice.
| Sub-processor | Function | Region |
|---|---|---|
| WorkOS | Identity, SSO, SCIM, audit logs | US/EU |
| Cloudflare | DNS, CDN, WAF, DDoS | Global edge |
| Sentry | Error tracking | EU available |
| Managed Postgres | Primary datastore | EU |
| Object storage | Evidence and report blobs | EU |
| GitHub | Source-code hosting | US |
Stripe, Temporal Cloud, observability vendor, transactional email vendor, and webhook delivery vendor are added to the list as those platform features come online.
For procurement teams
The following are available on request via the security contact above:
- One-page Security Summary (PDF)
- SIG-Lite-style questionnaire, pre-filled (XLSX)
- Data Processing Agreement template (DOCX, GDPR Article 28)
- Current-state attestation against the SOC 2 / ISO 27001 control catalogues, under NDA
Scope
This policy and the Vulnerability Disclosure Policy cover the public website, Breaking Bandwidth product surfaces (Scanner, Acceptance, Pentest) when publicly accessible to customers, and public source-code repositories under github.com/breaking-bandwidth. Findings in third-party services we integrate with should be reported to the operator of that service.