Workforce data is among the most sensitive data a company holds — salaries, identities, attendance, performance. We treat it accordingly. Security is not a feature we added on top of Bulma; it is the foundation everything else is built on.
All data transmitted between your browser or mobile app and Bulma's servers is encrypted using TLS 1.3. Data at rest is encrypted with AES-256. Sensitive fields — salaries, tax identifiers, bank details — are additionally encrypted at the field level and masked by default in the UI, accessible only to administrators with explicit permission.
Bulma runs on enterprise-grade cloud infrastructure across multiple availability zones, providing high availability and automatic failover. Our environment is isolated per customer — your data is never co-mingled with another organisation's data.
Bulma enforces role-based access control (RBAC) at every level. Admins assign granular permissions per module — an HR manager can run payroll without seeing engineering salaries, and a team lead can approve leave without accessing headcount reports.
Our own team follows the same rigorous standards we build into the product.
Bulma is designed to help your organisation maintain compliance with relevant labour, data, and privacy regulations. Our platform supports GDPR, UAE PDPL, and Saudi PDPA data subject rights workflows out of the box.
In the event of a confirmed security incident, we commit to notifying affected customers within 72 hours of discovery, in line with GDPR Article 33 requirements. Notifications will include the nature of the incident, data categories affected, and remediation steps taken.
We maintain a documented incident response plan that is tested via tabletop exercises twice a year.
If you believe you have found a security vulnerability in Bulma, we ask that you disclose it responsibly. Please report findings to security@bulma.ai with full details. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.
Security questions, audit report requests, or DPA enquiries: