Trust Center

If you haven't reviewed our Terms & Conditions or our Privacy Policy yet, you should do so. It includes some important information that you'll need for an evaluation.

Our Org Structure

First things first: we're not a company. We're not even a legally distinct organization. This project could best be described as a "hobbyist's project" or a passion project in real danger of turning into a responsibility. We hope that you can understand how these things happen: we identified a problem, and we decided that we could fix said problem.

Honestly, if it turned into a responsibility, that'd be pretty cool. That would mean that we're developing something that's legitimately useful. (Feel free to let us know using the Feedback form! It'll just gas up our egos and push us to shore up our infrastructure even more.)

That being said, we understand if your institution's third-party risk management processes are adverse to adopting us. We get it, because we have folks on our team who are supposed to be those third-party risk assessors.

We'd love if that's what's holding you back, because that means that our product is worthwhile of your evaluation. Let us know, and we'll work something out (between self-hosting, conformance to your specific requirements, or something else).

We're not beholden to a corporate overlord. We're simply trying to make the best darn product we can.

Our Commitment to Trust

BusyBee is focused on delivering a secure, reliable, and privacy-focused product. We continously evolve our solutions, combining robust features with security and privacy by design.

Our "corporate" structure is less corporate structure, more independent side-project. We acknowledge that some institutions may not want to take that risk, and that's okay.

That's why we make no warranties and disclaim it's merchantability in our Terms & Conditions. Transparency.

Data Collected, Processed, and Stored

We'd suggest that for most use cases, this application should only be collecting, processing, and storing public, low-criticality information. While we obviously don't know your institution's specifics, we collect:

• Information generally regarded as "directory information," including name and email address,
• Athletic event information (generally public information),
• Shift scheduling information—provided by a supervisor—should will be the most sensitive information you'll have to determine the sensitivity of.

Basic Security Measures We Take

As we state in our Privacy Policy, we can't guarantee that we'll never be hacked or breached. No platform can. However, we take all reasonable steps to ensure that many risks are mitigated, including:

• We use a web application firewall in front of our web applications.
• We perform assessments of any third parties we engage with.
• We have a patch management process and a vulnerability management process.
• We keep golden images of our software locked away.
• For user accounts, we require multi-factor authentication using a TOTP.
• For institutions, SAML-based SSO is available. Our SSO implementation supports differentiation between the email address and user identifier.
• We regularly monitor and scan for common web application security vulnerabilities, and we have a vulnerability management program.
• We respect the rights for security researchers to audit and evaluate our platform, and we accept responsible disclosures.

Vulnerability Handling & Disclosure

We will:

• Acknowledge receipt of your vulnerability report in a reasonable timeframe,
• Investigate and validate reported issues, and
• Coordinate fixes and mitigations based on severity and impact.

While we respect the rights for security researchers to audit and evaluate, we expect that they:

• Avoid testing that degrades service availability or impacts customers,
• Do not publicly disclose found vulnerabilities prior to coordinated disclosure, and
• Act in good faith and in accordance with applicable laws.

Frameworks

As a "passion side-project" in real danger of turning into a responsibility, BusyBee does not currently meet conformity with all best practices in any industry-standard security frameworks. However, we are working to meet the guidelines set out in the CIS Controls version 8.

Third-Party Subprocessors

Subprocessor Name	Purpose	Location
Anthropic	Internal artificial intelligence models	USA
Cloudflare	Network infrastructure	Global Locations
Google	Infrastructure services	Global Locations
jsDelivr	Content delivery network (CDN)	Global Locations
Twilio/SendGrid	Email delivery	USA

Attestations & Certifications

BusyBee does not currently maintain any certifications, including SOC 2 Type II, CSA STAR, or ISO certification.

BusyBee does not currently maintain any self-attestations, including EDUCAUSE HECVAT. Work on HECVAT is ongoing and scheduled for completion by Q4 2026 as we build out infrastructure. As we've mentioned, we're working towards adherence to the requirements set forth in the CIS Controls version 8. Once we perform a self-attestation and believe we're following those controls in good faith, we'll let you know in this Trust Center documentation.