All of our IT infrastructure and storage is cloud-based and hosted with Microsoft Azure. The data is hosted at the Azure West Europe data centre in the Netherlands, as well as the Azure North Europe data centre in Ireland for resilience in case of an issue at either data centre.

We have chosen not to host any data ourselves for safety and simplicity reasons. Instead, data is hosted through Microsoft’s Azure cloud offering.

Microsoft’s data centres follow a multi-layered physical security approach with features that include (but are not limited to) perimeter securities (gates, fences), surveillance, encryption by default for data in transit and at rest, and access-controls for employees and visitors.

Their physical and infrastructure security measures can be read in more detail here.

We do not have an ISMS based on ISO 27001. However, we have followed best practices when implementing our security model and rely on externally audited ISO27001 and SOC2 compliant systems for authentication (Google Firebase), as well as industry-standard encryption schemes (AES256 for data at rest, Blowfish for hardened hashes).

We also keep a set of documented policies within the technical team that we must adhere to, such as our Data Protection Strategy, IT Disaster Recovery Policy, IT Security Policy and our Vulnerability Disclosure Policy. Links to all of these can be found at the bottom of this page.

No. We are aiming to have a SOC2 Type 1 certification in the second half of 2024, with a Type 2 certification following 6 months later.

No - apart from those that Microsoft does for us.

We are using Microsoft's cloud-based PaaS (Platform-as-a-Service) offering, which is entirely through Web Apps, Azure Functions and managed SQL databases. We therefore don't have to worry about maintaining any security and OS updates manually; Microsoft does the patch management for us.

Yes. The BeCause platform and APIs require user authentication to be accessed, which can only be obtained by signing up on our platform. For all signups we use a heavily audited third-party authentication provider (Google Firebase Auth), which is both SOC2 and ISO27001 compliant. After signing up, the user can invoke our APIs and use our platform only over a HTTPS (TLS1.2+) connection.

For both the BeCause platform and the BeCause APIs, our platform has RBAC implemented and the user needs to have the appropriate access rights to perform their action. Furthermore, all data provided to us over API must be validated and sanitised, and the requests must be authenticated via API keys that are only issuable, accessible and linked uniquely to the user.

All API invocations are logged and our system is integrated with APM systems, which also performs anomaly detections of our infrastructure.

Non-technical BeCause staff cannot access the infrastructure, hosting, any sensitive data, nor any back office features at BeCause. Only technical employees can access these, and only a subset of these can, for example, do a key rotation or access a database. We assign access rights in the BeCause team based on the "least privilege" concept. Any of these accesses must be assigned by the CTO or Head of Development at BeCause.

Likewise, from the users’ point of view, the users on the platform can access their own data only by default, and can only configure who else should be able to access their data and to what extent (anonymised, fully, etc).

You can find relevant links below detailing:

If you have any other questions, please address these to [email protected].