Security & Performance

Our approach:

Security is top priority for us at BullPay. Our clients entrust sensitive data to our care and we keep it safe. We have taken security seriously from the beginning and the mission of keeping BullPay and the clients we service protected is the responsibility of our whole company.

Our promise:

Why take our word for it? We are OWASP ASVS Level 3 certified by Praetorian, an expert security firm. Achieving OWASP ASVS Level 3 (the highest category) provides assurance, verified by third party auditors, that BullPay has an effective security program ensuring your data is always protected. View our OWASP ASVS Level 3 certificate.

If you’re interested in working with BullPay and have more questions about our security we would love to share more. Just drop us a line!

Our infrastructure:

BullPay’s computing infrastructure is provided by OVH, a secure cloud services platform. OVH’s cloud infrastructure has been accredited under ISO 27001:2005. Its security, management, risk assessment norms and associated processes has been accredited under ISO 27002 and ISO 27005. OVH has obtained SOC 1 and 2 type II certifications for 3 data centers in France and 1 in Canada, proof of its secured Private Cloud solution. Furthermore, OVH is a PCI certified vendor and is committed to the core principles of GDPR.

We have committed to and gained OWASP Level 3 requirements, the latest Next Generation firewall and PCI Security best practices to ensure that our applications and data are protected and always accessible. Access to our infrastructure is tightly controlled and monitored. In addition to strong security controls, BullPay ensures that the data it collects remains available through full, daily backups, retained for 30 days and tested weekly.

Our applications:

We employ secure coding practices and ensure we’re protected against the OWASP ASVS Level 3. All of the BullPay applications and services undergo well-defined quality assurance / quality control protocols.

All user passwords are securely hashed; passwords are never stored in plain text. All data access is protected by a role-based access-control mechanism, which only lets users view data for which they have permission. It’s impossible for users to view data from organizations other than their own.

Our internal processes:

Only authorized employees have access to our production infrastructure, and passwords are strictly regulated. We limit access to customer data to the employees who need it to provide support and troubleshooting on our customer’s behalf. Accessing customer data is done solely on an as-needed basis, and only when approved by the customer (i.e. as part of a support request), or to provide support, maintenance and upgrades for custom code compatibility.