1. Bluebeam Construction Software
  2. Try It Free
  3. Open Mobile Navigation Close Mobile Navigation

Security Statement – Bluebeam’s Technical and Organizational Measures

Updated and Published July 5, 2022

In order to protect the confidentiality, integrity, and availability of both Bluebeam’s internal data and Bluebeam’s customer’s data (“Your Data” as defined in the General Terms and Conditions of Use), Bluebeam has implemented an information security program that includes the following technical, administrative, organizational, and physical controls (the “Security Program”). For more details on Bluebeam’s Security Program and related controls, including a copy of our SOC 2 report, existing customers may contact their account representative or technical support. Potential customers may contact technical support.

Governance and Organizational Controls

Bluebeam utilizes a risk-focused framework to evaluate security maturity and prioritize security initiatives. A Security Steering Committee composed of executive leaders in technical and business functions meet at least quarterly to assess risk and develop remediation plans.

Bluebeam has established a risk assessment framework used to evaluate risks throughout the company on an ongoing basis. The risk management process incorporates management’s risk tolerance and evaluations of new or evolving risks.

Data Center and Physical Security

Bluebeam’s office locations are monitored by a receptionist during business hours. Doors are locked outside business hours and when a receptionist is not present. Visitors to Bluebeam’s office location are required to sign in and are provided a temporary identification badge.

Physical keys and card access to areas where critical equipment is located is restricted to authorized individuals. Bluebeam management reviews holders of keys and access cards annually.

Bluebeam leverages Amazon Web Services to host Bluebeam cloud products. AWS provides highly available and secure data centers. Details on AWS’s data center security controls can be found here.

Personnel Security

Bluebeam places a high priority on the security of its workforce. All Bluebeam employees are required to undergo background checks as part of the hiring process. Within one month of hire, employees receive training in data security concepts and responsibilities, as well as privacy regulation. This training is updated regularly, and all employees are required to complete it annually.

Bluebeam personnel are required to read and accept the Bluebeam’s Code of Conduct and security policies upon their hire and to formally reaffirm them annually thereafter.

In addition to annual security training for all employees, Bluebeam’s security team provides job-specific security training to teams like the People Team and DevOps. Bluebeam’s developers are also required to complete annual training on secure development practices.

Network Security

Monitoring and Incident Response

Bluebeam’s security team continuously monitors for threats and security incidents across all networks and infrastructure.

In the event that an incident is detected, Bluebeam has established a formal Incident Response Plan, which defines a process of resolving and escalating reported events. Its provisions include consideration of the need to inform internal and external users of incidents and advising of corrective actions to be taken, as well as an incident after-action review requirement. Policies and procedures for operational and incident response management require incidents to be logged and reviewed with appropriate corrective actions taken if necessary.

Vulnerability Management

Bluebeam has a defined vulnerability management program that includes executive oversight and defined SLAs for remediation or mitigation.

On at least a monthly basis, Bluebeam’s security team performs scans of infrastructure and applications to identify vulnerabilities. Additionally, third party penetration testing is performed on Bluebeam’s applications and infrastructure at least annually. Vulnerabilities identified through these scans are evaluated for impact to the confidentiality, integrity, and availability of Bluebeam’s systems and customer data and prioritized for remediation based on these factors.

Access Control

Bluebeam leverages highly segregated networks with role-based access control to protect customer data. Networks containing customer data are only accessible to Bluebeam employees whose job function requires access.

Development and test environments are segregated from production, and Bluebeam’s policies restrict the use of confidential or private data in all non-production environments.

At the system level, access rights are granted or modified on a business-need basis depending on the user’s job role. Wherever technically feasible, two-factor authentication is used to access Bluebeam’s system and applications, including on VPNs and other forms of remote access. Bluebeam personnel are assigned unique usernames and are required to use strong passwords for access to Bluebeam’s systems. Shared accounts are not permitted unless a specific use case is documented and approved by security management. Bluebeam performs reviews of privileged and regular user access to production systems on a quarterly basis to ensure access appropriateness.


Bluebeam customer data (“Your Data”) is stored on secure cloud services and is protected and encrypted when in transit and at rest. HTTPS, SSH, SFTP, or other technologies using modern encryption protocols are used to protect data in transit. AES-256 or other appropriate industry standard standards are used to protect data at rest.

Change Management

Bluebeam’s change management policy and procedures require review and authorization by appropriate business and technical management before system changes are implemented into the production environment. System changes include documentation of authorization, design, implementation, configuration, testing, modification, approval commensurate with risk level. Changes are tested in a separate test environment prior to moving them to the production environment.

The change management process includes identification of changes that require communication to internal or external users. System and organizational changes are communicated to internal and external users as appropriate through Bluebeam’s application.

Third Party Management

Bluebeam evaluates vendors and other third parties’ security as part of its vendor selection process and annually thereafter. For third parties storing or processing Bluebeam’s confidential information, the third party is required to hold an audited security attestation (e.g. SOC 2 Type II, ISO 27001) or demonstrate their ability to meet equivalent security controls.

Confidential information is disclosed only to third parties who have agreements with Bluebeam to protect personal information in a manner consistent with the relevant aspects of Bluebeam’s privacy policies or other specific instructions or requirements. Third parties that process customer PII on behalf of Bluebeam are listed in Bluebeam’s Sub-processor list.

Responsible Disclosure Statement

At Bluebeam, we consider the security of our systems a top priority, but no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability in any of our products or web applications, we would like to know about it so we can take steps to address it as quickly as possible.

Please do the following:

  • Email your findings to [email protected]
  • Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data
  • Do not reveal the problem to others until it has been resolved
  • Do not use attacks on physical security, social engineering, denial of service, spam or applications of third parties
  • Do not violate any laws or breach any agreements in order to discover vulnerabilities

Bluebeam Security Team’s Promise:

  • We will aim to respond to your report within a reasonable time period with our evaluation of the report
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission

Issues Not to Report:

The issues below are not considered in scope for vulnerability disclosure, and we ask that you not report them unless you have identified unusual risk associated with the issue.

  • CSRF on forms that are available to anonymous users
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Banner disclosure on common/public services
  • HTTP/HTTPS/SSL/TLS security header configuration suggestions
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies
  • Phishing or Social Engineering Techniques
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Sender Policy Framework (SPF) or DMARC configuration suggestions
  • Clickjacking reports without impact are not considered a vulnerability by Bluebeam. For example, “Clickjacking to change a user’s password” or “Clickjacking to post comment” would be valid reports, but identifying the possibility of clickjacking alone is not