Security

Last Updated: October 27, 2022

Application security

The Bunny engineering team strives to write secure code that aligns with industry best practice. We do peer reviews to ensure code quality and perform static code analysis to detect vulnerabilities that may exist in our dependencies.

Authentication

By default all Bunny user accounts are passwordless and accessed via email. Bunny also supports SAML based single sign-on and user accounts can be provisioned or deprovisioned from identity providers that support the SCIM protocol.

Secure Access

Bunny requires HTTPS for access to our application, quote, payment and invoice portals as well as API.

API

Bunny utilizes the OAuth2.0 protocol to enforce secure access to our APIs.

Roles & permissions

Bunny is used by several types of users, from sales representatives through to developers and finance executives. With this in mind we offer role based access controls to limit the scope of data that each type of user can view or modify.

Our best practice security approach

SOC 2

Bunny is currently in the process of completing SOC 2 TYPE II certification. As of the writing of this document we have completed more than half the requirements of SOC 2. This certification provides assurance that we are operating at a level that is in compliance or better than the standards outlined by the American Institute of Certified Public Accountants (AICPA).

soc2-2

Payments

We process all payments through PCI compliant payment gateway partners such as Stripe. Bunny does not store credit card details or card holder information.

payments-3

Infrastructure

Bunny operates servers hosted on Amazon Web Services (AWS). Access to AWS is heavily restricted.

infrastructure-3

Incident management

Bunny operates several systems to monitor the health of our service and detect incidents. If a security incident occurs Bunny will notify all affected customers with undue delay.

incident-management-3

Responsible disclosure

Please report any vulnerabilities to security@bunny.com. We will immediately assign a ticket id number for each report and a member of our engineering team will reply back within 1 business day.

responsible-disclosure-3