Blip is a conversation automation platform that facilitates communication between companies and customers through Intelligent Contact.
Committed to data and information security, it is ISO 27001:2022 certified and complies with privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and the General Personal Data Protection Law (LGPD) in Brazil, reflecting its responsibility to promote trust among its customers and partners, ensuring data protection and trust in digital interactions.
Comprehensive practices and policies to protect data and assets, ensuring compliance and privacy in a dynamic digital environment.
Onboarding Process
During the onboarding process for new employees, awareness of information security, privacy, and data protection is essential to ensure that everyone understands the responsibilities and best practices necessary to protect the organization’s information. At this time, the guidelines of the Information Security Policy (ISP), privacy, and data protection are presented.
All new employees must acknowledge and sign a commitment statement related to information security and privacy, formalizing individual responsibility.
After onboarding, awareness is maintained through internal campaigns, recurring training, such as learning paths and periodic tests, ensuring that information security is part of the organizational culture and that new employees begin their journey with knowledge, responsibility, and awareness of the importance of data protection.
Communication
The Information Security team uses Blip’s internal communication channels to keep all employees informed about security-related issues, seeking to raise awareness and keep them up to date on the Information Security Policy (PSI), privacy, and data protection.
Information Security, Privacy, and Data Protection Committee
There is an executive committee for Information Security, Privacy, and Data Protection with members from various sectors and responsibilities at Blip, representing Senior Management and demonstrating commitment and engagement with the Information Security Management System for the entire strategic business and value chain of the company.
Phishing Training
We conduct phishing simulations throughout the year to raise employee awareness of cyber threats, train employees to improve their ability to identify and respond to phishing attempts, and strengthen the overall security of the organization, minimizing the risk of actual data breaches.
Role-Based Training
Role-based training in information security, privacy, and data protection is an approach that tailors security content to the specific responsibilities of each employee within the organization. Rather than generic training, this methodology ensures that each team receives guidance relevant to their role, increasing effectiveness in risk prevention and incident response.
For example, for employees working in development, a “Secure Development Path” is provided, while employees in general are trained to identify threats such as phishing and social engineering, in addition to participating in internal workshops, which are events with external speakers and address relevant topics on information security, privacy, and data protection. This strategy improves the company’s security culture, reducing vulnerabilities and strengthening the protection of corporate data.
Teams receive periodic training from the Information Security team on topics related to security and privacy in line with the execution of their activities and functions.
Security Awareness Training
All Blip personnel are required to complete security and privacy awareness training upon starting employment and annually thereafter.
The security team provides additional security and privacy awareness updates via email, posts on the internal communication channel, and presentations during internal events.
Secure Development Training
Blip developers must complete security development training, focusing on topics such as the OWASP Top 10, which is an awareness and training initiative for areas involved in software development to ensure that information security requirements and measures are appropriate and implemented in accordance with the Secure Software Development Lifecycle (SSDLC).
At Blip, the Information Security and Privacy Risk Management process is essential to ensure data protection and compliance with key industry standards and regulations, such as ISO 27001, LGPD, and GDPR.
We work proactively to identify, assess, and mitigate risks, implementing controls and continuously monitoring the environment to ensure that data confidentiality, integrity, and availability are not compromised.
Our commitment is to ensure that Blip operates securely and compliantly, promoting customer trust and resilience in the face of the challenges of the digital landscape.
Secure by Design
During the SDLC (Software Development Life Cycle) phases, the Information Security team participates as consultants, seeking to adapt the SDLC to security frameworks and standards, such as OWASP. Security standards (or specific policies by topic) for secure development govern how secure development should be conducted. Broadly speaking, the SD3+C concept (Secure by Design, Secure by Default, Secure by Deployment and Communication) is adopted.
Privacy by Design
During the development phase of products, systems, or services, Blip’s Data Privacy team assesses the risks that activities may pose to data subjects and defines measures to ensure compliance with data protection principles and the rights of data subjects. When the processing of personal data poses high risks to privacy, Blip conducts a Data Protection Impact Assessment (DPIA) to identify and mitigate potential impacts. In addition, teams have the autonomy to request privacy assessments whenever necessary.
Data Processing Agreement
To ensure that data processing is carried out securely and in compliance with current regulations, such as the General Data Protection Law (LGPD) and the General Data Protection Regulation (GDPR), Blip has developed a standard Data Processing Agreement (DPA) for each location where we operate.
This DPA clearly establishes the conditions and obligations related to the processing of personal data, both by Blip and its customers, ensuring that all processes are aligned with legal requirements and industry best practices. It is an essential document that is part of all contracts signed by Blip, reaffirming our commitment to transparency and security in the handling of our customers’ and users’ information.
IMPORTANT NOTICE: The DPA may be amended according to the date and place where the contract was signed.
Blip has developed a comprehensive set of internal security and privacy policies and standards covering a range of topics. These policies are shared and made available to all employees and contractors with access to Blip’s information assets.
Blip may provide these policies to customers, interested parties, and competent authorities, when applicable and after signing an NDA between the parties.
Data Protection Officer
Blip has appointed Paulo Kimura as Data Protection Officer (DPO), responsible for ensuring compliance with privacy and data protection regulations, such as the LGPD and GDPR. The Officer is available to answer questions, handle requests from data subjects, and ensure that privacy rights are respected.
You can contact the Data Protection Officer at [email protected].
Requesting Data Subject Rights
Blip provides a form to facilitate the exercise of data subjects’ rights under applicable laws, such as the LGPD and GDPR.
The use of this form is optional, but it is an efficient and secure way to process your request. If the personal data provided has been collected by another company, which acts as the data controller, its deletion by Blip will depend on prior notification to the controlling company.
IMPORTANT NOTICE: For your security, whenever you submit a request to exercise your rights, Blip may request additional information and/or documents to verify your identity in order to prevent fraud. We do this to ensure the security and privacy of everyone.
In some cases, Blip may have legitimate reasons for not complying with a request to exercise rights. These situations include, for example, cases where disclosure of specific information could violate Blip’s or third parties’ intellectual property rights or trade secrets, as well as cases where requests for rights cannot be complied with (i) because they would be outside Blip’s remit or (ii) due to Blip’s obligation to retain data, either to comply with legal or regulatory obligations or to enable Blip or third parties to defend themselves in disputes of any kind.
Request your Privacy Rights here
To exercise your Privacy Rights, such as access, correction, deletion, or portability of your personal data, you can submit your request directly through our Data Privacy Portal. Simply access the Service Form and follow the instructions to formalize your request.
Subprocessors
To support the delivery of the Services, Blip may engage third-party service providers, called subprocessors. We enter into all necessary documents with our partners, ensuring that each subprocessor meets the highest standards of security and compliance. We conduct a detailed prior review of suppliers, evaluating their data protection practices and policies before entering into any partnership.
Cookie Policy
Blip uses cookies for technical purposes, as well as to improve your experience when browsing our website. These cookies help us personalize and optimize content, as well as ensure the proper functioning of the Blip platform’s features.
For more information about the types of cookies we use, how they are applied, and how you can manage your preferences regarding them, please see our Cookie Policy. There you will find details about your rights and options for controlling the use of cookies on our platform.
Data Breach Notification
Blip maintains policies and procedures for managing security incidents in accordance with applicable Data Protection Laws, ensuring an efficient and transparent response to any situation that may threaten the security of information.
In the event of a security incident, we conduct a careful analysis to determine Blip’s role, whether as data controller or data processor. Based on this assessment, we strictly follow the relevant legal requirements, ensuring that all actions taken are in accordance with current legislation.
Frequently asked questions about Data Privacy – Blip and the GDPR
The purpose of this guide is to answer frequently asked questions about Blip’s privacy compliance program with the General Data Protection Regulation (GDPR).
Supplier Security
Blip minimizes the risks associated with suppliers by conducting analyses during the hiring process and annually reevaluating suppliers considered critical (those who access our systems or data).
Our Security, Privacy, and Legal teams assess the appropriate safeguards in relation to the service being provided and the types of data being exchanged.
Ongoing compliance with expected protections is monitored through the risk management process.
Check out the full Information Security Policy, available to Blip Group suppliers.
Business Continuity Management
Blip has a Business Continuity Plan (BCP) to ensure the resilience of its services. The procedures are structured to ensure the rapid recovery of critical services and processes, allowing essential activities to continue and services to remain available even in crisis situations or unscheduled outages.
Information Security Incident Management
Blip has standards and procedures for incident management and response, which include guidelines and procedures to be adopted in the event of Information and Cyber Security incidents.
These guidelines must be known to employees, suppliers, and third parties involved so that they can report incidents for timely handling.
Access Monitoring
Blip keeps records of access and changes to all critical assets in the environment for auditing and continuous monitoring purposes. These records include information about who accessed the data, what changes were made, and when they occurred, allowing for traceability of the operations performed.
In addition, Blip uses monitoring mechanisms to quickly identify and respond to any suspicious activity, ensuring data security and integrity.
Data Deletion
Blip retains personal data for the period necessary to provide the contracted services and guarantee the rights of our customers. Upon request for deletion or termination of the contract, customer data will be removed from active databases within 30 days.
However, some data, such as logs and related metadata, may be retained for additional periods to meet security, legal compliance, or statutory obligations, ensuring that Blip complies with applicable legal and regulatory requirements. Such data is treated with appropriate security measures and only for periods necessary to fulfill the specific purposes.
If you are a Blip customer and need to request the deletion of data, you can do so through our Customer Service Channel. We guarantee that your request will be fulfilled within the established deadlines.
Data Backup
Backups of database systems and critical infrastructure are performed and audited, including the technical and organizational means for proper restoration and recovery of data.
Encryption in Transit
Data in transit on the Blip Platform is protected by encryption, using TLS 1.2 (without weak ciphers) and TLS 1.3 protocols by default for all data communication. This encryption applies to all interactions, including data communication with database systems, ensuring that information is protected against interception or alteration during transmission.
Encryption at Rest
Data at rest, i.e., data stored in the various structures of Blip’s database systems, is protected by encryption using at least the AES-128 algorithm. This encryption ensures the confidentiality and security of stored information, even in the event of unauthorized access to the systems.
In addition, encryption key management is monitored and audited by independent external auditors to ensure that security practices are compliant. This process also ensures that keys are managed securely, preventing risks and ensuring the integrity of stored data.
Data Location
All data that travels on the Blip Platform is stored in the cloud, in Microsoft data centers. Personal data is stored in accordance with local regulations, such as the LGPD and GDPR.
Azure compliance documentation can be found on the Azure Compliance Documentation Portal.
Disk Encryption
As required by internal security policy, disk encryption is implemented on all devices owned by Blip. This security measure is mandatory for all company assets, ensuring the protection of information in the event of loss, theft, or unauthorized access to devices.
Mobile Device Management
All Blip mobile devices adopt security controls to reduce associated risks. Mobile device management (MDM) technologies are adopted in conjunction with other appropriate security controls to ensure proper protection of assets.
Security against Malicious Code
All computers provided to Blip employees have advanced Antimalware (NGAV) and EDR solutions. In addition, DLP, WebFilter, HIDPS, Firewall, and other technologies are adopted. Similar security controls apply to assets in the Cloud environment.
Installation and Use of Unauthorized Software
Blip employees are not permitted to use software without prior authorization from the competent parties. For the Cloud environment, only authorized software that is essential for the operation of services is used.
Data Loss Prevention
Blip adopts data loss prevention (DLP) technology implemented in its environment and adopts strict related policies to prevent data leakage or unauthorized access.
Information and Event Security Management
Blip stores security logs in the SIEM (Security Information and Event Management) solution, where they are monitored and analyzed by the responsible team. This process is an integral part of the incident response strategy, enabling the detection, analysis, and mitigation of potential threats.
Firewall and WAF
The networks of Blip’s cloud environment are protected by firewalls and WAF (Web Application Firewall) service at their edges, which monitor and control traffic, blocking suspicious access and activities due to the risk they pose to the Blip Platform.
IP reputation
IP reputation analysis is performed on each request received by the Blip Platform. If an IP is identified with a negative reputation, the associated request may be automatically blocked, preventing security risks and ensuring the integrity of the Blip Platform.
Network Segregation
The production, approval, and testing networks are segregated and do not communicate with each other.
Integrations
Blip offers many integration possibilities that allow you to connect your communication solution to various platforms and services, enhancing your interactions with users. These integrations facilitate process automation, improving the customer experience and optimizing business operations.
Among the available integrations, you can find options to connect to social networks, CRM systems, marketing tools, and much more. This allows you to centralize communication and leverage data from different sources to provide more personalized and efficient service.
To explore all the possibilities and better understand how to implement these integrations, you can consult the complete documentation available at https://docs.blip.ai/#integrations. This documentation provides details about each integration, configuration guidelines, and practical examples, making it easy to use these features in your communication strategy.
Access Control
On the Blip Platform and Blip Desk, access controls are managed to ensure that each user has access only to the features necessary for their activities.
Access control in Blip Desk is carried out through permissions, which allow managers to define which agents can use certain features. This permission management is essential to ensure that each team member has access only to the features necessary for their specific roles.
Here are the main aspects of the process:
– User Registration: New users can be registered on the Blip Portal, allowing them to join the team and have their permissions configured.
– Access Release: You can release access to view contracts and the bot, ensuring that each user has the appropriate permissions for their responsibilities.
– Adding Agents to the Contract: Agents can be added to the contract, allowing them to participate in human service on Blip Desk.
– Individual or Group Permissions: The manager can configure access individually for each agent or in groups for two or more agents through the Portal.
– Permission Rules: It is crucial to observe the specific permission rules for each feature, because when you enable a new feature, the agents initially registered will remain without access until permission is configured.
– Features with Active Permissions: Some features require permissions to be enabled from the outset to ensure that agents can use them correctly.
These access controls are essential to ensure security and efficiency in the use of the platforms, allowing managers to configure permissions according to the needs of each team member.
SSO support
On the BLIP platform, you can set up SSO (Single Sign-On) for user authentication. This integration allows access control to be performed by user through the platform. In addition, integration via ADFS (Active Directory Federation Services) is also possible. Thus, we offer security and flexibility in user authentication and access management.
File Exchange on BLIP
To help our customers ensure the security of files exchanged with their users, media traveling through BLiP is subjected to antimalware analysis (before, during, and after storage). Some types of potentially malicious files, such as executables and libraries, are also blocked. First, files are scanned by malware verification services in the WAF (Web Application Firewall), then scanned by their internal malware solution, and, before being stored in data systems, during data traffic, in real time, they are also scanned. Finally, when stored, they are also scanned, culminating in up to four malware assessments.
Cloud Computing Service Provider
The Blip platform is hosted on Microsoft Azure. Azure compliance documentation can be found on the Azure Compliance Documentation Portal.
Authentication
Blip adopts authentication procedures requiring at least two authentication factors (2FA) for all access to the cloud environment. In addition, we implement conditional access to ensure that only authorized users can access certain resources, based on specific security policies.
To further strengthen protection, geolocation policies are applied that restrict access from unauthorized locations, ensuring greater control over the origin of connections. We also use a secure password vault for proper credential management and VPN technologies to ensure that communications are protected and carried out over secure channels.
Access Control
Blip’s production environment is restricted and protected, with access limited exclusively to authorized personnel. Access control is based on the principles of least privilege and need to know, ensuring that only employees with the appropriate permissions can access critical assets.
In addition, audit data, such as access logs, are kept secure and restricted to authorized parties, ensuring that sensitive data and critical resources are protected from unauthorized access.
Secret Management
Blip adopts secret management practices to protect sensitive application information, such as API keys and database passwords. This information is stored in secure password vaults with restricted and controlled access, ensuring that only authorized users can access it.
In addition, all activities and access to password vaults are logged in detail, enabling full auditing and traceability, ensuring that credentials and other secrets are managed securely and in accordance with information security best practices.
Role-Based Access Control
We use an Identity and Access Management (IDM) system to manage the entire lifecycle of digital identities. Through our identity provider, we implement role segregation by adopting the Role-Based Access Control (RBAC) model. This ensures that the provisioning, deprovisioning, lateral and vertical movement of employees’ digital identities are automatically adjusted to reflect the principle of least privilege, ensuring efficient and secure management of access permissions.
Action and Activity Logs in the Cloud Environment
Records are kept of actions and activities such as configuration changes, creation, and deletion of assets in the production environment to enable audits and investigations whenever necessary.
Monitoring
Blip implements continuous monitoring of actions in the environment through dashboards that provide visibility into the environment’s compliance with security guidelines and help quickly identify any deviations or potential risks.
In addition, security policies are enforced whenever possible, ensuring that protective measures are automatically implemented and followed across all layers of the environment.
Security Certifications
The cloud computing service provider environments used by Blip meet the most stringent security requirements, complying with key international standards and regulations. These environments are regularly audited by independent external entities and have globally recognized security certifications, such as ISO27001, ISO27701, SOC2, etc., ensuring data protection and system integrity.
Static Code Analysis
The SDLC (Software Development Life Cycle) pipeline is subjected to rigorous assessments using a SAST (Static Application Security Testing) solution, which performs static analysis of the product’s source code and configuration files. This process allows potential vulnerabilities to be identified and corrected before the code is implemented in production, ensuring that applications meet security standards.
Blip adopts this practice as part of its proactive approach to detecting and mitigating security risks, ensuring that Blip Platform software is developed securely from the early stages through to final implementation. In addition, identified vulnerabilities are addressed quickly and efficiently, reinforcing protection against potential threats.
Software Composition Analysis
Blip performs a detailed software composition analysis of the Blip platform to identify and mitigate vulnerabilities in software components, frameworks, and libraries used in the development of its solutions. This process involves checking all third-party dependencies and libraries, ensuring that any known vulnerabilities are quickly identified and corrected.
This practice is part of our security approach, which ensures that all elements that make up our solutions comply with security standards and are protected against potential risks. In addition, we maintain a continuous monitoring and updating process to ensure the integrity and security of all software components throughout their lifecycle.
Source Code Change Review and Approval
When development teams finish coding, whether for new implementations or software bug fixes, their work is rigorously evaluated and approved by competent parties.
Source Code Security
Blip’s source codes are stored in a private Source Code Management (SCM) repository with controlled and audited access. This repository is protected by security policies, ensuring that only authorized users can access, modify, or view the source code. In addition, all access and modification activities are monitored and logged to ensure code traceability and integrity.
Blip adopts these practices to protect the source code from unauthorized access and to ensure that all changes are made securely and in accordance with established policies and standards.
Source Code Review
The source code is reviewed by competent parties with compatible seniority to ensure the robustness of the source code. Security code review is also included, adopting the principles of OWASP (Open Web Application Security Project).
Source Code Quality
In addition to code security aspects, code quality is also assessed by competent teams and supported by widely known software that is used by large companies.
Environment Segregation
Blip segregates development, approval, and production environments, ensuring that each environment has its own access permissions and specific controls. The production environment follows the principle of least privilege, ensuring that users and systems have access only to the resources necessary to perform their functions.
In addition, Blip implements role-based access control (RBAC), ensuring that permissions are assigned according to each user’s responsibilities, minimizing the risk of unauthorized access or misuse of sensitive data.
This segregation and access control procedure contributes to data security and integrity, as well as ensuring that operations in each environment are carried out safely and in accordance with the policies and standards established by the Organization.
Intrusion Testing (Pentest)
Blip periodically hires a third-party company to independently perform Penetration Testing (Pentest) on the Blip product. Blip provides customers, interested parties, and competent authorities, when applicable and after signing an NDA (Non-Disclosure Agreement), with a Letter of Evidence confirming that vulnerability analyses and Intrusion Tests (Pentests) have been performed. The full Intrusion Test (Pentest) is not made available as it is classified as confidential information.
Yes. Blip has a formal Privacy and Data Protection Program, which includes the structuring of a Privacy Team, the establishment of policies, processes, and technological controls, among other requirements for compliance with Privacy Laws.
Blip has a Data Protection Officer who ensures compliance with privacy laws in the way the Organization handles your data and that your rights as a data subject are fulfilled. You can contact the Data Protection Officer by email at [email protected].
Blip adopts best practices to protect the privacy and confidentiality of your information, maintaining security measures in accordance with applicable legal standards for the protection of information against unauthorized access, use, alteration, and destruction.
To learn more about how Information Security is one of Blip’s pillars, access the “Security” menu in Overview and other documents here on Blip’s Privacy and Security Portal.
Access our “Frequently Asked Questions about Data Privacy” guides for further clarification on the subject.
Speak directly to our sales experts on WhatsApp: +55 (31) 3349-6201
R. Sergipe. 1440 – Savassi – Belo Horizonte – MG | Alameda Vicente Pinzon, 54 – Vila Olímpia – São Paulo – SP
Address: 353 E 78TH ST. NEW YORK, NY 10021. United States
Curupira S/A – CNPJ 04.413.729/0001-40 – Takenet LLC – EIN 20-1131763 – Blipchat – RFC BLI2303017Q3
ISO 27001
