Balsamiq

Toggle navigation

Information Security

Since we have limited resources to reply to custom security questionnaires, we have adopted the CAIQ-Lite and VSAQ standards, which cover a lot you might want to know about our information security practices.

If you are subscribing to one of our Enterprise plans, or spending more than USD $1,000 over the next year on our Desktop or Atlassian offerings, email your security questionnaire to support@balsamiq.com. Otherwise you should be able to find all the answers you need on this page, and the pages linked below.

Questionnaires answers are not available for our Desktop and Server-hosted Apps, but you can refer to their Terms of Service and License Agreements.

Frequently Asked Security-Related Questions

How Is My Data Protected from Another Customer’s Data?

Each of our Services has a single database for all of that Service users' data. We use software best practices to guarantee that only people who you designate as viewers of your data can access it. In other words, we segment our customer data via software. We do our best and are very confident we’re doing a good job at it, but, like every other web app that hosts their customers data on the same database, cannot guarantee that a sophisticated hacker cannot access other people’s data.

How Are You Protecting My Data from Hacker Attacks?

Security is one of the main reasons we chose Amazon Web Services as the infrastructure provider for our Balsamiq Services. It has the best track record out there, look at this article for instance.

To see all the steps Amazon takes to protect the data saved on its services, take a look at the extensive Security And Compliance Center and the security-related white papers. It’s what makes us sleep well at night. AWS is ISO/IEC 27002 certified.

We also have our own practices in place, which follow the industry’s best practices. We only give access to our servers to senior Balsamiq security experts, we keep our servers always up to date with security fixes, have one-click ways to take down servers should they become infected/compromised and to create and deploy new clean ones, we have an automated suite of tests against cyber attacks, we use 2-factor authentication whenever possible, and more. We don’t run background checks on employees nor have CISSP certifications or have audit logs.

Our Services have never been compromised so far.

Should our systems get compromised, we will replace the server(s) that have been hacked with new ones (we can do this with very few clicks). If this doesn’t stop the attack, we’ll shut down the service until we can fix the vulnerability. We will also hire outside experts to help us and verify that we’re safe to resume service.

Are you PCI DSS compliant?

Yes, we are. We go through the self-assement process anually and get scanned regularily.

What should I do if I find a security vulnerability in a Balsamiq service?

If you have discovered a security concern, please email us at security@balsamiq.com. We’ll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to security@balsamiq.com our highest priority, and work to address any issues that arise as quickly as possible.

Please act in good faith towards our users’ privacy and data during your disclosure. We won’t take legal action against you or administrative action against your account if you act accordingly: White hat researchers are always appreciated.

How does Balsamiq use AI?

At the moment, the only AI-powered feature we have is the extract text feature, which is completely optional to use.

It is implemented by calling an AWS Textract API. Please refer to Amazon Textract's website for details on how your data is used.