Security & Trust Overview

TERMS AND POLICIES
Terms of Service
Acceptable Use Policy (AUP)
SLA
Developer Terms and Conditions
AI Additional Terms and Conditions
SMS Terms
Marketing Terms
Privacy
Privacy Policy
Data Processing Addendum (DPA)
Security & Trust Overview
Cookie Policy
Sub Processors

Last Updated: August 2025

Table of Contents

  1. Introduction
  2. Security Governance
  3. Data Protection & Privacy
  4. Access Control & Identity Management
  5. Infrastructure & Network Security
  6. Application Security
  7. Endpoint & Device Security
  8. Encryption & Cryptography
  9. Monitoring, Logging & Audit
  10. Artificial Intelligence & Machine Learning
  11. Incident Response & Management
  12. Business Continuity & Disaster Recovery
  13. Third-Party Risk Management
  14. Security Awareness & Training
  15. Compliance & Risk Management
  16. CRM-Specific Security Controls
  17. Cloud Security Architecture
  18. Change Management & DevSecOps
  19. Physical & Environmental Security
  20. Policy & Governance
  21. Responsible Disclosure & Contact

1. Introduction

At Fireberry (“Fireberry”, “we”, “us”), we prioritize the security and privacy of our customers' data above all else. We have established a comprehensive security program designed to protect the information you entrust to our various platforms. Our approach is built on a foundation of transparency, continuous improvement, and alignment with industry best practices.

This document provides a detailed overview of our security philosophy, the controls we have implemented across our organization, and our approach to compliance. Our security program is informed by internationally recognized standards and frameworks, including certain principles from ISO 27001, 27017, 27018, 27032, and 27799.

Document Scope and Use

This Security and Trust Overview is provided for informational purposes only. While Fireberry continually improves its security protections, the information presented herein is not intended to create, and shall not create, any binding or contractual obligation on Fireberry. This policy shall become legally binding only where a contractual document executed between Fireberry and a Fireberry customer expressly incorporates this policy by reference and states that it is binding. Absent such express incorporation, this document is provided solely for reference and transparency purposes.  Our official legal commitments and obligations are detailed in our Terms of Service, Privacy Policy, and Data Processing Addendum.

2. Security Governance

Effective security starts with strong leadership and clear accountability. Fireberry's leadership team provides active oversight for our security program, ensuring it aligns with our business objectives and meets our customers' expectations.

  • Organizational Structure: Our security program is managed by a dedicated team of security professionals, led by a Chief Information Security Officer (CISO). Our team is focused on proactively identifying and mitigating risks, collaborating closely with our technology, privacy, and legal departments to ensure a holistic approach to security.
  • Executive Oversight: A security governance body composed of senior leadership from across the organization provides strategic direction, reviews security risks, and allocates resources to security initiatives.
  • Defined Roles & Responsibilities: Security is a shared responsibility. We have clearly defined security roles and responsibilities for all personnel, from our engineers to our executive team, to ensure that everyone understands their role in protecting customer data.

3. Data Protection & Privacy

Protecting customer data and respecting privacy are fundamental to our operations. We embed privacy considerations into our product development and internal processes, an approach often referred to as "Privacy by Design."

  • Data Classification: We maintain a data classification framework to ensure that appropriate security controls are applied to data based on its sensitivity and classification level. This helps us apply the strongest protections to your most sensitive information.
  • Data Lifecycle Management: Our data lifecycle management process governs how we handle data responsibly, from collection to secure deletion. This process outlines the technical and organizational measures for secure storage, processing, and disposal, in accordance with our data retention policies and customer agreements.
  • Privacy Rights: We are committed to upholding the privacy rights of individuals. Our processes are designed to address data subject requests in accordance with applicable data protection laws and regulations. For detailed information, please refer to our Privacy Policy.
  • Cross-Border Data Transfers: We provide transparency about how we handle international data transfers. Our approach and legal mechanisms are detailed in our Data Processing Addendum.

4. Access Control & Identity Management

We operate on a Zero-Trust security model. This approach is centered on the belief that we should never automatically trust any request, whether it originates from inside or outside our network. Instead, we strive to continuously verify identity and permissions for every request.

  • Principle of Least Privilege: We employ the principle of least privilege, ensuring that personnel receive only the minimum level of access necessary to fulfill their job responsibilities. Access rights are regularly reviewed and adjusted to align with current roles and duties.
  • Strong Authentication: Access to Fireberry's internal corporate and production systems typically requires strong authentication, including mandatory Multi-Factor Authentication (MFA). Personnel access Fireberry-controlled systems using their unique G Suite user account credentials, which consist of a unique username, a strong password of at least eight characters, and a two-factor authentication (2FA) mechanism.
  • Password & Session Management: User credentials for Fireberry-controlled systems require strong, complex passwords. Our policies are designed in alignment with regulatory standards, which include mandatory periodic password changes and the prevention of password reuse. To mitigate unauthorized access, user sessions are configured to automatically log out after a defined period of inactivity.
  • Privileged Access Management (PAM): We have implemented enhanced controls for accounts with elevated privileges. For temporary or emergency access to sensitive systems, we may use a Just-in-Time (JITA) access model, where privileged access is granted for a limited duration.
  • Authentication to Fireberry Systems: Personnel are required to log in only from Fireberry-managed devices. Authentication is managed through our secure, centralized Single Sign-On (SSO) system. We use this system's features to identify and mitigate malicious authentication attempts. Frequent failed login attempts may result in an account lockout or revocation, as deemed appropriate.
  • Authentication to Third-Party Systems: Where supported, third-party systems delegate authentication to Fireberry’s centralized SSO service, ensuring consistent access controls managed by the Fireberry security team. If a third-party system does not support SSO, unique and robust passwords are created and stored securely in Fireberry's approved password management system. These accounts are also paired with two-factor or multi-factor authentication (MFA) to provide an additional layer of security.
  • User Account Revocation and Audit: User accounts are generally revoked (disabled, but not deleted) immediately upon personnel separation. In addition, accounts are routinely audited at least quarterly, with inactive user accounts typically being revoked to further minimize security risks.
  • Access Reviews: We conduct regular reviews of user access rights to ensure permissions remain appropriate and are removed when no longer needed.

5. Infrastructure & Network Security

Our platform is built on a secure cloud infrastructure, leveraging the robust security capabilities of our cloud service providers.

  • Network Architecture: Our network is designed with multiple layers of security to ensure robust protection. We use Virtual Private Clouds (VPCs) to create isolated network environments, thereby separating our network into distinct segments for production, staging, and development environments.
  • Perimeter Security: We utilize enterprise-grade firewalls and Web Application Firewalls (WAFs) to safeguard our platform against malicious traffic and common web-based attacks. These systems are configured with deny-by-default rules, meaning only explicitly authorized traffic is allowed.
  • Intrusion Detection and Prevention: We utilize systems to monitor network and host activity for potential threats. These systems use a combination of signature-based detection and behavioral analysis to identify and alert on suspicious activity.

6. Application Security

We believe that secure applications are built, not bolted on. Security is integrated into every phase of our Software Development Lifecycle (SDLC).

  • Secure Coding Practices: Our developers are trained on secure coding standards, informed by resources such as the Open Web Application Security Project (OWASP). We conduct security-focused code reviews to identify potential vulnerabilities.
  • Security Testing: We employ a suite of automated security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA), to scan our code and third-party libraries for vulnerabilities.
  • API Security: Our Application Programming Interfaces (APIs) are designed with security in mind. We utilize modern authentication and authorization standards, such as OAuth 2.0, and implement controls like rate limiting to protect against abuse.
  • Vulnerability Management: We maintain a comprehensive program to identify, assess, and remediate security vulnerabilities in a timely manner. We conduct formal vulnerability testing and penetration testing at least once every twelve (12) months, in addition to ongoing monitoring and ad hoc assessments as needed. Remediation is prioritized based on risk, and our security team works closely with development teams to ensure patches and fixes are deployed efficiently and effectively.

7. Endpoint & Device Security

We implement multiple layers of protection on the devices our employees use to build and support the Fireberry platform.

  • Device Management: All corporate-issued endpoints (laptops) are centrally managed. This allows us to enforce security configurations, such as full-disk encryption, and deploy security software consistently.
  • Endpoint Protection: Our endpoints are equipped with advanced threat protection software, including next-generation antivirus (NGAV) and Endpoint Detection and Response (EDR) solutions. These tools help us prevent, detect, and respond to malware and other threats.
  • Secure Remote Access: Access to our corporate network from outside our offices requires a secure connection and is subject to the same strong authentication requirements as in-office access.

8. Encryption & Cryptography

Encryption is a critical control for protecting data confidentiality and integrity. We utilize industry-standard encryption to safeguard your data, both during transmission and storage.

  • Data in Transit: Data transmitted between your device and our platform is encrypted using Transport Layer Security (TLS) version 1.2  or higher, which is the standard for secure web communication.
  • Data at Rest: We utilize cryptographic algorithms, such as AES-256, to encrypt customer data stored within our platform, including databases and file storage.
  • Key Management: Encryption keys are fundamental to the security of our encryption controls. We use a hardened Key Management Service (KMS) for the secure generation, storage, and rotation of cryptographic keys.

9. Monitoring, Logging & Audit

Continuous monitoring and logging are essential for detecting and responding to security threats.

  • Security Information and Event Management (SIEM): We use a centralized SIEM solution to aggregate, correlate, and analyze logs from across our environment. Such methods enable our security team to detect potential security incidents and investigate alerts in near real-time.
  • Audit Logging: Our platform generates detailed audit logs for security-relevant events, including user login attempts, permission changes, and data access. These logs are protected against tampering. In accordance with regulatory requirements for high-sensitivity databases, security event logs are retained for a minimum of 24 months to support security investigations and fulfill compliance obligations.
  • 24/7 Monitoring: Our security operations are designed for continuous monitoring of our environment to detect and respond to security alerts.

10. Artificial Intelligence & Machine Learning

We incorporate various AI features, functionalities, and applications ("Fireberry AI") into our services, which may be made available through the Fireberry platform and mobile application. As we continue to evolve, we may also release beta or alpha versions of new AI product offerings.

  • Security and Compliance: We implement appropriate technical and organizational measures to protect and secure personal data used in our AI applications. This approach involves collaboration between dedicated product, engineering, and legal teams to maintain alignment with regulatory and industry standards, as well as a broad commitment to preventing unauthorized access to customer data.
  • Data Privacy and Usage: Customer data remains secure and private when using Fireberry AI. Data is not shared between different Fireberry customer accounts, and AI-generated outputs are specific to each customer. Any use of customer data for secondary or analytical purposes, such as for training or improving our AI models, requires explicit, opt-in consent from our customers. You control your data.
  • Content Moderation: Fireberry AI may be moderated for content that is harmful, such as hate speech, harassment, and violence. We work to identify and mitigate such content to foster a safe and positive environment for our users.
  • Third-Party Models and Customer Control: To provide powerful capabilities, some Fireberry AI functionalities may utilize technology from trusted third-party vendors, such as OpenAI. While customer data may be shared with such third parties to enable certain functionalities, our agreements with them prohibit the use of this data for training or improving their models. Customers have options to control their use of certain AI products. For more information on AI choices, rights, and responsibilities, please visit our AI Additional Terms and Conditions.

11. Incident Response & Management

While we strive to prevent security incidents, we are also prepared to respond effectively if one were to occur. We have a documented Incident Response Plan that outlines the roles, responsibilities, and procedures for managing security incidents.

  • Incident Response Team: We have a dedicated incident response team trained to handle security incidents. The team includes members from our security, legal, communications, and engineering departments.
  • Response Process: Our incident response process follows a standard lifecycle: Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Activity. This structured approach helps ensure a consistent and effective response.
  • Communication: In the event of a security incident that affects customer data, we will provide notifications and information in accordance with our legal and contractual obligations, as detailed in our Terms of Service and Data Processing Addendum.

12. Business Continuity & Disaster Recovery

We are committed to making the Fireberry platform a reliable and available service for your business. We have a Business Continuity and Disaster Recovery (BCDR) program designed to ensure the resilience of our services.

  • High Availability: Our platform is designed for high availability. We deploy our infrastructure across separate availability zones, which helps protect our service from single-location failures.
  • Backup and Recovery: We perform regular backups of customer data. Such backups are encrypted and stored securely. We periodically test our backup and recovery procedures to ensure that we can restore data effectively when needed.
  • Disaster Recovery Plan: We maintain a Disaster Recovery (DR) plan that details the procedures for recovering our services in the event of a major disruption. We periodically test this plan through exercises and simulations to validate its effectiveness and readiness.

13. Third-Party Risk Management

We recognize that the security of our service depends in part on the security of our vendors and subprocessors. We maintain a risk-based vendor management program to assess the security posture of our third-party partners.

  • Due Diligence: We conduct security and privacy due diligence on our vendors before engaging their services, with more rigorous reviews for vendors that will handle sensitive data or provide critical services.
  • Contractual Protections: Our contracts with vendors include security and data protection clauses that require them to adhere to our security standards.
  • Subprocessor Transparency: For a list of subprocessors who may process customer data, please see our Sub-Processors List.

14. Security Awareness & Training

The human element is a vital part of any security program. We invest in comprehensive security awareness training to empower our employees to be our first line of defense.

  • New Hire Training: All new employees are required to complete security and privacy awareness training as part of their onboarding process.
  • Ongoing Training: We provide annual security refresher training to all personnel to ensure their knowledge remains current and up-to-date.
  • Role-Specific Training: We offer specialized security training for roles that require elevated and heightened responsibilities, such as our engineering and IT teams.
  • Phishing Simulations: We conduct regular simulated phishing exercises to train employees to recognize and report phishing attempts.

15. Compliance & Risk Management

Our security program is designed to meet our legal, regulatory, and contractual commitments.

  • Risk Management Framework: We have implemented a formal risk management framework to identify, assess, prioritize, and treat security risks. This process is continuous and integrated into our security governance.
  • Regulatory Compliance: Our security and privacy controls are designed to support our compliance with various regulations, including the GDPR, the CCPA, and Israeli privacy laws and regulations.  For specific details regarding our legal and regulatory compliance, please refer to our Privacy Policy and Data Processing Addendum.
  • Independent Audits: We may engage independent third-party auditors to assess our security controls and procedures. Access to, and information about, available compliance reports is subject to the terms and conditions outlined in our Data Processing Addendum

16. CRM-Specific Security Controls

Security is a shared responsibility. You can enhance the security of your account by using the controls we've built into the Fireberry platform.

  • User Management & Permissions: We offer granular user roles and permissions, enabling you to control which users can access and modify various types of data within your CRM.
  • Secure Login Options: We encourage the use of strong passwords and offer Two-Factor Authentication (2FA) to add an extra layer of security to your account.
  • Data Export Controls: The platform features include tools to help you manage and monitor data exports from your CRM instance.
  • Integration Security: We provide secure methods for integrating third-party applications with your Fireberry account and offer guidance on best practices for managing these integrations.

17. Cloud Security Architecture

Our security architecture is built on the secure and scalable foundation of Amazon Web Services (AWS), our public cloud provider.

  • Shared Responsibility Model: We operate in accordance with the AWS Shared Responsibility Model. This means that while AWS is responsible for the security of the cloud (e.g., the physical data centers), Fireberry is responsible for security in the cloud (e.g., securely configuring our applications, networks, and access controls).
    For more information on the physical, environmental, and logical security controls managed by AWS, we encourage customers to review the resources outlined in the AWS Security White Paper.
  • Infrastructure as Code (IaC): We leverage Infrastructure as Code practices to automate the provisioning and configuration of our cloud environment. This helps us maintain consistent, secure configurations and track changes over time.
  • Tenant Isolation: In our multi-tenant architecture, we employ a combination of logical and network controls designed to securely isolate one customer's data from another.

18. Change Management & DevSecOps

We follow a structured change management process to ensure that all changes to our production environment are reviewed, tested, and approved before deployment.

  • DevSecOps: We practice DevSecOps, which means we integrate security activities and automated testing directly into our CI/CD (Continuous Integration/Continuous Deployment) pipelines. This allows us to identify and fix security issues early in the development process.
  • Change Authorization: Changes are categorized based on risk, and those with higher risk require additional review and approval before deployment.
  • Testing and Validation: All changes are tested in non-production environments before being promoted to production. We also conduct post-deployment monitoring to verify the success and stability of each change.

19. Physical & Environmental Security

As we utilize leading public cloud providers for our production infrastructure, we rely on their extensive physical and environmental security controls. These providers' data centers are highly secure facilities with controls such as:

  • 24/7 on-site security personnel
  • CCTV surveillance
  • Biometric access controls
  • Redundant power and climate control systems

For our own corporate offices, we implement appropriate physical security measures, including badge access systems and visitor management policies, to protect our assets and information.

20. Policy & Governance

Our security program is guided by a comprehensive set of internal information security policies and procedures.

  • Policy Framework: Our policies encompass a broad range of topics, including acceptable use, data handling, incident response, and access control.
  • Regular Review: These policies are reviewed and approved by management on a regular basis, or when significant changes occur in our risk landscape or regulatory environment.
  • Communication: We make our policies available to all personnel and incorporate them into our security awareness and training programs.

21. Responsible Disclosure & Contact

We value the work of the independent security research community. If you believe you have discovered a security vulnerability in a Fireberry product or service, please help us by responsibly disclosing it.

  • Security Inquiries & Reporting: Please contact us at support@fireberry.com.
  • Privacy Inquiries: For questions related to privacy, please contact legal@fireberry.com.