Trust & Safety

Security

How we protect your team's data

SOC 2 Type IIISO 27001GDPRAES-256TLS 1.3

Our Commitment

Workforce data is among the most sensitive data a company holds — salaries, identities, attendance, performance. We treat it accordingly. Security is not a feature we added on top of Bulma; it is the foundation everything else is built on.

Bulma is independently audited annually by a third-party security firm. SOC 2 Type II and ISO 27001 audit reports are available to enterprise customers under NDA on request.

Encryption

All data transmitted between your browser or mobile app and Bulma's servers is encrypted using TLS 1.3. Data at rest is encrypted with AES-256. Sensitive fields — salaries, tax identifiers, bank details — are additionally encrypted at the field level and masked by default in the UI, accessible only to administrators with explicit permission.

Infrastructure

Bulma runs on enterprise-grade cloud infrastructure across multiple availability zones, providing high availability and automatic failover. Our environment is isolated per customer — your data is never co-mingled with another organisation's data.

  • Infrastructure-as-code with immutable deployments
  • Private networking; no public database endpoints
  • Continuous vulnerability scanning and dependency audits
  • Automated daily backups with point-in-time recovery
  • 99.9% uptime SLA with real-time status at status.bulma.ai

Access Control

Bulma enforces role-based access control (RBAC) at every level. Admins assign granular permissions per module — an HR manager can run payroll without seeing engineering salaries, and a team lead can approve leave without accessing headcount reports.

  • Single sign-on (SSO) via SAML 2.0 and OIDC
  • Multi-factor authentication (MFA) enforced for all admin accounts
  • Automatic session expiry and anomalous login detection
  • Immutable audit logs for every permission change and data access event

Internal Practices

Our own team follows the same rigorous standards we build into the product.

  • All employees undergo background checks and security training on hire
  • Production access is limited to a small on-call team on a least-privilege basis
  • All internal access to customer data requires justification and is logged
  • We conduct annual penetration tests with a specialist third-party firm
  • We run a continuous bug bounty programme
Bulma employees never access your data to train AI models or for any purpose outside of delivering and supporting the service.

Compliance

Bulma is designed to help your organisation maintain compliance with relevant labour, data, and privacy regulations. Our platform supports GDPR, UAE PDPL, and Saudi PDPA data subject rights workflows out of the box.

  • Data residency options available for enterprise plans
  • Data processing agreements (DPAs) available on request
  • Configurable retention schedules per data category
  • Export and deletion tools for data subject access requests

Incident Response

In the event of a confirmed security incident, we commit to notifying affected customers within 72 hours of discovery, in line with GDPR Article 33 requirements. Notifications will include the nature of the incident, data categories affected, and remediation steps taken.

We maintain a documented incident response plan that is tested via tabletop exercises twice a year.

Responsible Disclosure

If you believe you have found a security vulnerability in Bulma, we ask that you disclose it responsibly. Please report findings to security@bulma.ai with full details. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.

We will not take legal action against researchers who act in good faith and follow our disclosure guidelines. Recognition and rewards are available for valid, in-scope reports.

Contact

Security questions, audit report requests, or DPA enquiries:

bulma