Header Portal

Security Center

How Bombyx protects your data and maintains the integrity of the platform.
Last Updated: June 29, 2026

Our Security Commitment

At Bombyx, security is not an afterthought — it is foundational to everything we build. We handle sensitive logistics data, operational workflows, and business-critical information on behalf of our customers, and we take that responsibility seriously. This Security Center outlines the technical and organizational measures we implement to protect the confidentiality, integrity, and availability of your data.

Encryption

Data encrypted in transit and at rest using industry-standard protocols.

Access Control

Role-based access controls and multi-factor authentication enforced across the platform.

Monitoring

Continuous security monitoring and anomaly detection, 24/7.

Incident Response

Defined procedures for rapid identification, containment, and recovery.

Infrastructure Security

The Bombyx platform is hosted on enterprise-grade cloud infrastructure with multiple layers of physical and logical security controls:

  • Data centers with SOC 2 Type II and ISO 27001 certified cloud providers;
  • Geographic redundancy and automatic failover to ensure high availability;
  • Network segmentation with firewalls, intrusion detection systems (IDS), and web application firewalls (WAF);
  • Regular infrastructure vulnerability scanning and penetration testing;
  • Automated patch management for system software and dependencies.

Data Encryption

We apply strong encryption to protect your data at every stage:

  • In transit: All data transmitted between your browser or application and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
  • At rest: All stored data is encrypted using AES-256 encryption. Database backups are also encrypted.
  • Payment data: Card details are never transmitted to or stored on Bombyx servers. All payment processing is handled by Stripe, which holds PCI DSS Level 1 certification — the highest standard in the payment card industry.

Access Controls and Authentication

We enforce strict access controls to minimize the risk of unauthorized access:

  • Role-Based Access Control (RBAC): Users are granted the minimum level of access necessary for their role (principle of least privilege);
  • Multi-Factor Authentication (MFA): MFA is available and encouraged for all user accounts;
  • Session management: Automatic session timeouts and secure session token management;
  • Internal access: Bombyx employees access production systems only through a secure VPN with MFA. All internal access is logged and audited.

Security Monitoring and Detection

Bombyx maintains continuous monitoring of our infrastructure and platform:

  • Real-time log aggregation and analysis using security information and event management (SIEM) tools;
  • Automated alerting for suspicious activity, including login anomalies, unusual data access, and configuration changes;
  • Regular review of access logs and audit trails;
  • Third-party security scans and periodic penetration testing.

Incident Response

Bombyx maintains a formal Incident Response Plan (IRP) to handle security events efficiently:

  • Detection: Automated and manual detection of potential security incidents;
  • Containment: Immediate isolation of affected systems to prevent spread;
  • Investigation: Root cause analysis and forensic review;
  • Recovery: System restoration from secure backups with integrity verification;
  • Notification: In the event of a personal data breach, we will notify affected users and relevant regulatory authorities as required by applicable law (within 72 hours under GDPR).

Employee Security

Our team is a critical component of our security posture:

  • All employees undergo background checks prior to employment;
  • Security awareness training is conducted at onboarding and annually thereafter;
  • Employees with access to sensitive data are subject to confidentiality agreements;
  • Access to customer data is restricted on a strict need-to-know basis and is logged.

Vendor and Third-Party Security

We take a risk-based approach to third-party security:

  • All sub-processors and critical vendors are assessed for security posture prior to engagement;
  • Data Processing Agreements (DPAs) are executed with all vendors that process personal data;
  • Vendor access to Bombyx systems is controlled, monitored, and time-limited.

Business Continuity and Disaster Recovery

We maintain comprehensive plans to ensure service continuity:

  • Automated backups performed daily with encrypted storage and off-site replication;
  • Recovery Point Objective (RPO): maximum 24 hours of data loss in a catastrophic event;
  • Recovery Time Objective (RTO): target restoration within 4 hours;
  • Disaster recovery procedures are tested periodically.

Responsible Disclosure Policy

Bombyx welcomes reports from security researchers and the broader community. If you discover a potential vulnerability in our platform, please report it responsibly:

  • Do not exploit or attempt to exploit vulnerabilities you discover;
  • Do not access, modify, or delete user data;
  • Report findings to support@bom-byx.com with a detailed description;
  • Allow us a reasonable time to investigate and remediate before public disclosure.

We acknowledge all reports within 48 hours and will keep you informed of our progress. We do not pursue legal action against good-faith security researchers.