Security
Last updated on June 30, 2025
HIPAA Compliant
SOC 2 Under Audit & Ready
Security as a company value
Bonsai's security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world. Clinician and patient trust is of the highest priority at Bonsai. We hold ourselves accountable to a HIPAA-compliant data storage and processing protocol for all data captured and shared through our platform.
Secure Personnel
Bonsai takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.
- All Bonsai contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
Secure Development
- All development projects at Bonsai, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Secure Testing
Bonsai deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products. This ensures a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
Cloud Security
Hosted Bonsai provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.
Hosted Bonsai leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
- All customer cloud environments and data are isolated using Bonsai's account based isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
- All data is encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is continuously monitored by dedicated, highly trained Bonsai staff.
- We separate each customer's data and our own, utilizing accounts to ensure data is protected and isolated.
- Client's data protection complies with SOC 2 standards to encrypt data in transit and at rest. This ensures customer and company data and sensitive information is protected at all times.
- We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.
Guidelines
Web Application Security Scanning (NIST SP 500-269)
In alignment with the best practices defined in NIST SP 800-190, "Application Container Security Guide", we implement robust security measures throughout our cloud-native application lifecycle to ensure the protection of our services and data.
Bonsai uses Google Cloud IDS (Cloud Intrusion Detection System) which detects malware, spyware, command-and-control attacks, and other network-based threats. Its security efficacy is industry-leading, built with Palo Alto Networks technologies.
Bonsai implements strict IAM policies in Google Cloud to enforce the principle of least privilege, restricting access to the minimum required for each role. We also utilize Firestore Security Rules to control access to documents and collections in the database in an efficient and secure manner. These policies and rules are reviewed and updated regularly as part of our security maintenance process.
Additionally, we employ automated continuous security vulnerability scanning tools (dependabot) in our repositories to identify vulnerabilities early in the process. Regular third-party penetration testing further validates the security of our systems.
Furthermore, Bonsai employs advanced web security scanning using OWASP ZAP, one of the industry's leading tools for identifying and remediating security issues in web applications. This robust integration leverages OWASP ZAP's comprehensive capabilities, including automated and passive scanning, spidering, fuzzing, and intercepting proxy features.
By utilizing ZAP, Bonsai ensures thorough vulnerability detection and proactive mitigation, safeguarding web applications against potential threats. This commitment to top-tier security practices highlights Bonsai's dedication to maintaining the highest standards of web application security.
Application Security
| Encryption | Data is encrypted in transit with TLS 1.2. Data is encrypted at rest with AES. |
| Continuous Monitoring | Independent third-party penetration, threat, and vulnerability testing. |
| Data Handling | Bonsai is in full compliance with HIPAA and has support for data deletion. |
| SSO | User access controls with single sign on. |
| Secure Hosting | Bonsai's cloud environments are backed by Google's security measures. |
| RBAC | Role based account access workflows. |
Continuous Security Commitment
| Penetration Testing | We perform an independent third-party penetration test at least annually to ensure that the security posture of our services is uncompromised. |
| Security Awareness Training | Our team members are required to go through employee security awareness training. This covers industry standard practices and information security topics such as phishing and password management. |
| Third-Party Audits | Our organization undergoes independent third-party assessments to test our security controls. |
| Roles and Responsibilities | Roles and responsibilities related to our information security program and the protection of our customer's data are well defined and documented. |
| Information Security Program | We have an information security program in place that is communicated throughout the organization. Our program follows the criteria set forth by SOC 2. |
| Continuous Monitoring | We continuously monitor our security and compliance status to ensure there are no lapses. |
Compliance
Bonsai is committed to providing secure products and services to safely and easily manage digital identities across the country.
Our external certifications provide independent assurance of Bonsai's dedication to protecting our customers. We regularly assess and validate the protections and effective security practices Bonsai has in place.
SOC 2 Type 2
Bonsai LLC is currently undergoing SOC 2 Type 2 audits.
Questions About Our Security?
We're here to help. Contact our security team for any questions about our practices.