Official Policies and Security Information for Bloom Growth

September 12, 2023

Note: Usage of "we" and "our" indicates Bloom Growth / Winter International. Usage of "you" and "yours" indicates current, former and potential users of our services and visitors to our websites.

Our Security

General Information

Our website is hosted on Amazon Web Services (AWS). As an AWS hosted website, we enjoy all security best practices implemented by Amazon (the same ones uses). We use Elastic Beanstalk (a product of AWS) and other AWS systems to scale up with demand and provide website redundancy through multiple servers hosting our website. This means if one server goes down, others take its place automatically. It also means if we experience unusually high traffic, more servers come online to handle the workload. Currently, our servers are located in various availability zones throughout the United States in secure AWS facilities.

Your data is protected from the outside world. Our database is only accessible from over Amazon's private network, and, even then, only visible to other servers in our environment. This information is inaccessible to the outside world except through our website and only when signed in as an authorized user. All data-in-motion (anything that you would see visiting is encrypted with SSL and cannot be read if intercepted in transit.

Are your servers dedicated or are they shared?

Our web service is hosted on virtual servers which are logically isolated from other AWS virtual servers. Web Services may share hardware but have separate operating and memory space.

What is the physical security of Amazon’s server farm?

From AWS Security Whitepaper (August 2016)

AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Is there any geographical redundancy or are all servers physically located close to each other?

Our website is made up of several microservices, some of them their own separate database. Currently, all servers are located in the same availability zone as their respective database. This significantly reduces latency. The database is replicated in multiple availability zones. In the event of a database failure, database access fails-over to another availability zone temporarily.

Where specifically are the servers located (City/State)?

Our app website is located in the Oregon availability zone, in two of the following near either Grandview, Antelope or Mitchell. Additional services are located in North Virginia near either Montvale, Buena Vista or Lynchburg. The exact location of the servers are kept secret by Amazon for additional security.

Is there on-demand scaling (“if we experience unusual high traffic…”)? If so, is this automatic as well?

Yes. Additional resources are provisioned automatically through AWS as needed.

What standards and/or specific compliance does AWS have?

From AWS Security Whitepaper (August 2016)

SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, DOD CSM Levels 1-5, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, MTCS Level 3

Is there a self-hosted version?

A self-hosted version of our website is not part of our product development roadmap.

How are backups handled?

Automatic backups are performed daily and are retained for 7 days. Permanent backups are made monthly.

Who can view data in the cloud?

Only the Customer Support and Engineering departments have access and only in assisting you at your request. No third-party organization has access to your data. We maintain audit logs for every request made to the website.

Is two-factor authentication offered?

Not at this time.

What is your uptime?

We understand that having access to your data at all times is of utmost importance. This is one of the reasons we selected Amazon Web Services for our software, given their strong infastructure and committment to maintaining maximum uptime.

We are currently offering 99.95% uptime. We are always working to improve this number.