Security

Last updated on: December 22, 2025

This document provides a consolidated, procurement‑ready overview of Bump.sh’s security, privacy, and operational controls.

Company profile

• Legal entity: It Ducks SAS
• Product name: Bump.sh
• Country of registration: France
• Primary operations: France

Legal identifiers, registration numbers, and statutory disclosures are provided in the Legal mentions page.

Service description & scope

Bump.sh is a cloud‑hosted SaaS platform for publishing, hosting, and comparing API documentation derived from OpenAPI and AsyncAPI specifications.

Scope boundaries

• No access to customer production systems
• No execution within customer environments
• No processing of customer application runtime data

The service is intentionally designed to operate on documentation artifacts only. Bump.sh servers and application never access customer’s infrastructure.

Data protection & privacy

Detailed information regarding personal data processing, GDPR compliance, data subject rights, and privacy governance are available in the following documents:

• Privacy policy: https://bump.sh/privacy-policy
• Data Processing Agreement (DPA): https://bump.sh/dpa
• Cookie policy: https://bump.sh/cookie-policy

Hosting & infrastructure security

• Deployment model: Cloud‑only
• Application hosting: Heroku (AWS)
• Database: Managed PostgreSQL via Crunchy Data (AWS)
• Search engine hosting: Koyeb
• Data residency: Europe (Ireland and France)
• Backups & redundancy: Enabled at infrastructure level

Bump.sh does not operate or manage customer‑side infrastructure.

Identity & access management

Authentication

• SSO enforcement available
• Bump.sh authentication may coexist with SSO (customer‑controlled)

User lifecycle management

• Just‑in‑time (JIT) provisioning supported
• Attribute‑based identity mapping (ID, email, first name, last name)
• User expiration and deprovisioning supported

Application & supply chain security

• Automated dependency monitoring (e.g. Dependabot)
• Static security analysis integrated into CI pipelines
• Mandatory pair code review on changes

Open source components

• Bump.sh CLI: Open source
• Bump.sh GitHub Action: Open source
• Bump.sh Explorer proxy: Open source

The hosted SaaS backend remains closed source.

Integrations

GitHub integration

• Delivered as a GitHub Action, executed in the customer’s GitHub environment
• Access limited to repositories and files explicitly configured by the customer
• Permissions scoped to read‑only access for selected files
• Typical use case: uploading OpenAPI definition files

No organization‑wide or network‑level access is required.

Availability, backup & recovery

• Recovery Time Objective (RTO): 8 hours
• Recovery Point Objective (RPO): 4 hours

Backups and redundancy are managed through cloud infrastructure providers.

Vulnerability management & testing

• Bump.sh does not currently publish independent third‑party penetration test reports
• Enterprise customers are permitted to conduct penetration tests on their own Bump.sh environment
  • Once per year
  • Prior coordination required

Identified issues are addressed collaboratively.

Incident management

• Infrastructure and application monitoring in place (https://status.bump.sh)
• Operational procedures exist for incident detection, response, and remediation

Certifications & external audits

• No SOC 2, ISO 27001, or similar certifications at this time
• This reflects the limited data scope and non‑intrusive architecture of the service
• Alternative assurance mechanisms (customer‑run testing, architectural transparency) are available

Third‑party & vendor management

Key infrastructure providers

• Heroku (AWS) – application hosting
• Crunchy Data (AWS) – managed PostgreSQL
• Koyeb - search engine hosting

Vendors are selected based on security maturity and industry adoption. Formal vendor security audits are not currently conducted.

Compliance & legal

Contractual, legal, and regulatory information are maintained in dedicated documents:

• Legal mentions: https://bump.sh/legal-mentions
• Terms of use: https://bump.sh/terms
• Privacy policy: https://bump.sh/privacy-policy
• Data Processing Agreement (DPA): https://bump.sh/dpa

Frequently Asked Questions

Do you hold SOC 2 / ISO 27001 certifications?

No. Bump.sh does not currently maintain formal third‑party security certifications. The service architecture minimizes data exposure and avoids access to customer systems.

Do you process sensitive or regulated data?

No. Bump.sh processes API documentation files and limited account metadata only.

Where is data stored?

All customer data is hosted in Europe: on AWS infrastructure (Ireland), and Koyeb (France).

Do you support SSO and centralized access control?

Yes. Bump.sh supports SSO, JIT provisioning, and lifecycle controls through its partner [WorkOS](https://workos.com/).

Do you integrate into customer networks or environments?

No. Integrations operate via customer‑initiated actions and scoped permissions only.

Can customers perform penetration testing?

Yes. Enterprise customers may conduct annual penetration tests on their Bump.sh environment with prior coordination.

How do you manage dependencies and supply‑chain risk?

Through automated dependency monitoring, static analysis, and CI‑based review processes.

Who is the security point of contact?

All security inquiries can be directed to security@bump.sh.

Additional details can be provided upon request. Reach out to security@bump.sh.