Apprentix Security Policies

Annual risk assessments using the NIST 800-30 methodology to identify and mitigate threats.

Biennial reviews of all security policies to ensure alignment with regulatory and technological changes.

A dedicated security team responsible for monitoring compliance and implementing controls.

CCPA: For California residents’ data privacy rights.

Other Standards: We align with NIST 800-53, ISO 27001, and SOC 2 frameworks.

Public: Non-sensitive data, such as marketing materials.

Internal: Business data for internal use, like operational reports.

Confidential: Sensitive business or customer data, including apprentice evaluations.

Restricted: Highly sensitive data requiring strict controls, such as PII (e.g., names) and Davis Bacon certificates. Confidential and Restricted data receive enhanced protection through encryption and access restrictions, as detailed below.

In Transit:

At Rest:

Endpoints:

Internal flows between Apprentix’s frontend, Bubble.io’s backend, and AWS RDS/S3.

File uploads to AWS S3. Data flows are documented using AWS Data Pipeline tools, ensuring transparency and compliance with cross-border data transfer regulations. For U.S. customers, no international data transfers occur unless explicitly authorized. We maintain an inventory of data flows between Apprentix, AWS, and Bubble.io. Flows are documented using AWS Data Pipeline tools, ensuring visibility into data movement and compliance with cross-border regulations.

Users (e.g., apprenticeship admins, mentors) have role-specific permissions (view, edit, approve).

Separate profiles are created for each user, with unique credentials tied to their identity.

Access is managed via AWS Identity and Access Management (IAM) and AWS Cognito.

Admin Access: When enabled, MFA is required for all administrative access to Apprentix. This includes dashboard administration, user management, and system configuration, ensuring privileged actions are protected.

Non-Admin Access: Admins can optionally extend MFA to non-Admin users (e.g., apprentices, managers, mentors).

Default Configuration: MFA is strongly recommended and enabled by default for Admins in new deployments to align with industry best practices, with the option to enforce it for all users based on customer preference.

Privileged accounts (e.g., system admins) are restricted to authorized personnel.

Access is managed via AWS Secrets Manager, with MFA, session timeouts, and logging via AWS CloudTrail.

Privileged actions are reviewed daily for anomalies.

Access requests are approved by the system owner (e.g., CTO for backend, team lead for user roles) via a documented workflow.

Access rights are reviewed quarterly using AWS IAM Access Analyzer to ensure appropriateness.

Upon termination or role change, access is revoked within 1 hour via automated HR-integrated workflows.

Apprentix is developed within Bubble.io’s no-code platform, which adheres to OWASP Top 10 guidelines through its secure framework. We enhance this with custom workflows and plugins (e.g., AES256 Encrypt & Decrypt) to protect sensitive data.

Security is validated through manual reviews of app logic and workflows by our development team, ensuring robust protection against common vulnerabilities.

Threat modeling (using STRIDE) is conducted during design for all major feature updates to proactively identify and mitigate risks.

Development and testing occur in isolated Bubble.io environments, separate from the live production app, with no access to production data.

Production infrastructure is managed by Bubble.io on AWS, with Apprentix data isolated in dedicated RDS/S3 instances. Non-production environments use anonymized synthetic data generated by AWS DataBrew.

Bubble.io and AWS handle underlying infrastructure vulnerabilities, scanned and mitigated per their policies. Apprentix conducts weekly app-level configuration scans using AWS Inspector and Tenable to identify potential weaknesses.

Critical vulnerabilities are remediated within 48 hours; others within 7 days. We rely on Bubble.io’s secure platform and AWS’s continuous monitoring to maintain a hardened environment, with plans to incorporate third-party penetration testing as our security program evolves.

Bubble.io and AWS manage server and platform patching, monitored via AWS Systems Manager Patch Manager. Apprentix ensures app updates (e.g., workflows, plugins) are applied within 7 days of release, tested in staging first.

Critical updates are deployed within 24 hours to address urgent threats.

Bubble.io secures network traffic via Cloudflare, with TLS 1.3 enforced across all connections. Apprentix enhances this with AWS VPCs for backend isolation and AWS WAF to protect against SQL injection, XSS, and DDoS attacks.

Intrusion detection/prevention is provided by AWS GuardDuty, with 24/7 monitoring by Apprentix’s security team.

Company endpoints are protected by endpoint security software, with real-time anti-malware and behavior monitoring.

Unauthorized software is blocked using AWS Systems Manager allowlists.

Mobile devices use mobile device management (MDM) solutions for containerization, isolating organizational data, with remote wipe capabilities.

Preparation: Regular training and tabletop exercises.

Identification: Real-time detection via AWS Security Hub and GuardDuty, supplemented by Bubble.io’s platform monitoring.

Containment: Isolation of affected app components within 1 hour, coordinated with Bubble.io for platform-level issues.

Eradication: Removal of threats and mitigation of vulnerabilities, leveraging Bubble.io/AWS support as needed.

Recovery: Restoration from daily backups within 4 hours.

Lessons Learned: Post-incident reviews to improve controls.

All incidents are logged in a centralized system, classified by severity (Low, Medium, High, Critical), and tracked to resolution.

Quarterly incident reports are generated for transparency.

Critical app-level incidents trigger forensic analysis by a third-party provider, while Bubble.io handles platform-level forensics, with findings shared per their policy.

Customers are notified within 1 hour of a confirmed breach affecting their data, with updates every 4 hours.

Regulatory bodies are notified as required (e.g., GDPR’s 72-hour rule).

The plan is tested semi-annually via tabletop exercises and annually via full simulations.

Last test (Q4 2024) reduced containment time by 20%.

Recovery Time Objective (RTO): 4 hours for critical systems to minimize downtime.

Recovery Point Objective (RPO): 15 minutes to limit data loss.

Ensure minimal disruption to customer operations during outages.

Data is backed up daily via Bubble.io’s restore points and stored in AWS S3 with versioning and cross-region replication, encrypted with AES-256.

Backups are retained for 7 years or per contract terms, with quarterly integrity tests to verify recoverability.

In a disaster (e.g., AWS region outage), we fail over to a secondary AWS region (e.g., us-west-2 to us-east-1) within 4 hours, leveraging Bubble.io’s infrastructure.

Bubble.io’s daily restore points enable rapid recovery to the last backup, with Apprentix coordinating app restoration.

If AWS/Bubble.io are unavailable, critical functions (e.g., data exports) use encrypted offline backups, manually processed as an interim measure.

Redundant infrastructure across multiple AWS regions ensures continuity.

Manual processes are documented for offline operations, with client notification within 1 hour of a disruption.

Disaster recovery is tested quarterly via tabletop exercises and annually via full recovery drills to validate effectiveness.

All personnel are trained annually on their roles, guided by an internal DR playbook.

We maintain 24/7 support contracts with AWS and Bubble.io for rapid assistance.

During a disaster, we escalate to AWS Priority Support and Bubble.io’s technical team to expedite recovery.

All employees and contractors complete annual security training covering phishing, data handling, and incident reporting.

Quarterly phishing simulations are conducted using KnowBe4, with follow-up training for failures.

Background checks are performed for all employees handling sensitive data, using a certified provider.

Checks are tailored to role sensitivity, including criminal and reference verification.

All employees and contractors sign non-disclosure agreements (NDAs) upon onboarding, covering PII and proprietary data.

NDAs are enforced without exception, with annual reminders.

Upon termination, access is revoked within 1 hour via automated workflows.

Exit interviews reinforce confidentiality obligations.

Third-party vendors, including Bubble.io and AWS, are assessed for security compliance before engagement and annually thereafter.

Bubble.io leverages AWS’s SOC 2 Type II and ISO 27001 certifications, ensuring a secure foundation for Apprentix.

Vendor contracts mandate:

AWS and Bubble.io agreements meet these requirements, with Bubble.io providing platform-level security via AWS.

Vendors are evaluated annually via SOC reports, security questionnaires, and performance reviews.

Last review (Q1 2025) confirmed AWS and Bubble.io compliance.

24/7 physical security with biometric access, CCTV, and guards.

Visitor logging and escorted access, with no unaccompanied visitors.

Redundant power, cooling, and fire suppression systems per industry standards. Apprentix staff do not access physical data centers, ensuring no local vulnerabilities.

All systems log events to AWS CloudWatch, following NIST 800-92 requirements, with Bubble.io providing platform-level logs (e.g., server uptime).

Apprentix logs app-specific events (e.g., authentication, data access), encrypted and retained for 12 months.

AWS Security Hub correlates logs from CloudWatch, GuardDuty, and other sources to detect anomalies in real time.

Privileged and user activity is monitored via CloudTrail, with behavior analytics to identify potential threats.

Alerts are monitored 24/7 by our security team, with escalation within 15 minutes, ensuring proactive response to incidents without reliance on external testing.

AWS GuardDuty provides intrusion detection/prevention at the network perimeter.

AWS Shield mitigates DDoS attacks, with no incidents in 2024.

Web browsing is restricted, blocking malicious URLs.

We comply with GDPR, CCPA, and other privacy laws, ensuring customers’ rights to access, correct, or delete their data.

Privacy notices are provided at data collection points, with consent obtained where required.

We maintain an inventory of all PII (e.g., apprentice names, certifications) stored in AWS RDS/S3.

Cross-border data flows are mapped, with no international transfers for U.S. customers unless authorized.

Only necessary data is collected and processed, with regular reviews to eliminate redundant data.

Anonymization is used for analytics and testing to protect PII.

Configuring user roles and permissions within the platform.

Ensuring their endpoints are secure and free of malware.

Reporting suspected incidents promptly to [email protected].

Current: Apprentix leverages AWS’s SOC 2 Type II, ISO 27001, and PCI DSS certifications for our cloud infrastructure, ensuring robust security controls for customer data.

Audits: We conduct annual internal security audits to validate our policies and controls, reviewing app configurations, access controls, and data protection measures. Results are available to customers upon request.

Compliance: We align with GDPR, CCPA, and other applicable regulations, with regular reviews to ensure adherence.

Email: [email protected]

Phone: +1-303-900-2215

Address: 700 Colorado Blvd. #750, Denver, CO 80209