Security policies

Last UPDATED ON JULY 7, 2022

Product security

Product security is of paramount importance at Builders Patch. Builders Patch uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.Builders Patch performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Builders Patch adoption. In this way, Builders Patch is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike. Builders Patch is continuously improving our DevOps practice in an iterative fashion.

Protection of Customer DataData submitted to the Builders Patch service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Builders Patch production service environment, except in limited circumstances such as in support of a customer request.All data transmitted between Builders Patch and Builders Patch users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Builders Patch application is inaccessible.Builders Patch maintains distinct data centers in the United States. Customer submitted service data is not transferred or shared between distinct data centers. Builders Patch utilizes encryption at various points to protect Customer Data and Builders Patch secrets, including encryption at rest (e.g. AES-256), and KMS-based protections for the protection of secrets (passwords, access tokens, API keys, etc.)​.Access to Customer Data is limited to functions with a business requirement to do so. Builders Patch has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Builders Patch enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes. Builders Patch has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.Builders Patch monitors critical infrastructure for security related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system level calls are logged to a central point where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or triggering additional authentication requirements.

Disclosure

If you believe you’ve discovered a bug in Builders Patch’s security, please get in touch at security@builderspatch.com and we will get back to you within 24 hours. We request that you not publicly disclose the issue until we have had a chance to address it.