Security and Privacy

Effective as of September 4th, 2024

Last updated September 4th 2024

Please review our Privacy Policy and Terms and Conditions.

At Blossom, we take privacy and security very seriously to ensure that your data is yours alone, not ours.  Here are the security measures that we currently have in place to protect both our users data and Blossom:

Backups and monitoring
We use AWS RDS’ backup solution for datastores that contain customer data. Data is automatically backed up each day, and we keep daily backups for 14 days. We store logs for all activity through AWS CloudWatch, and all actions taken on production consoles or in the application are logged.

Hosting and storage
Blossom services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the United States using services under the AWS Security Compliance Program

Encryption
•All user interview recordings and insight clip videos are encrypted at rest using SSE-S3 encryption

•Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through AWS. We score an ‘A’ rating on Qualys SSL Labs‘ tests.

•We don’t use any screen-recording user tracking software such as Hotjar or Fullstory.

•We employ Multi-Factor Authentication best practices for securing our production data and email accounts.

Zoom Integration Security

•We utilize OAuth 2.0 to authorize Zoom users to integrate with Blossom without exposing your login credentials.

Our Zoom integration requests the minimal permission scope required to help you perform your day-to-day tasks in Blossom, in accordance with Zoom’s App Permissions guidelines.

Incident Response:

If Blossom becomes aware of unauthorized access or disclosure of Customer Data under its control (a "Breach"), Blossom will:

- Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.

- Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay.  Notwithstanding the foregoing, Blossom is not required to make such notice to the extent prohibited by Laws, and Blossom may delay such notice as requested by law enforcement and/or in light of Blossom's legitimate needs to investigate or remediate the matter before providing notice.

- Each notice of a Breach will include:

  - The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach;

  - A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;

  - The scope of the Breach, to the extent known; and

  - A description of Blossom's response to the Breach, including steps Blossom has taken to mitigate the harm caused by the Breach.