The Sendbird approach to security
At Sendbird, security isn't just another box to check — it's a core part of our business DNA. We've always placed a high priority on securing our customers' data, and since 2022, we've made significant investments that further enhance our security position. In this blog, we’ll explore how Sendbird approaches security and the measures we take to ensure your data is protected.
1. We invest in security
Our commitment to security is exemplified by our strategic investments. Around three years ago, we hired our first-ever Chief Information Security Officer (CISO) with the aim of building a world-class security team.
Today, we have a dedicated team of about 10 professionals focused on Security, IT, and GRC, backed by a six-figure budget for security tooling. For a company with approximately 250 full-time employees, this represents a robust investment in safeguarding both our operations and our customers’ data.
2. A risk based approach
We adopt a risk-based approach to security, in which our role is to identify and communicate risks rather than owning them outright. Our security team works closely with relevant stakeholders, explaining the nature of the risks and helping them make informed decisions. This approach ensures that everyone in the company knows the risks and feels a sense of ownership in mitigating them.
3. Security driven compliance
Compliance certifications are not mere formalities for us, but a byproduct of our commitment to doing the right thing. For example, we conduct offboarding and access reviews as part of our core enterprise security measures, which naturally leads to compliance. This approach ensures that our compliance efforts are meaningful and genuinely enhance security.
4. Enabling the business
Our ultimate goal is to enable the business to thrive securely. We work closely with internal teams such as product, sales, and sales engineering to develop solutions that leverage security for business success. Notable initiatives include our public Trust Center for customers and our public bug bounty program. Additionally, we are creating an internal knowledge base for our sales team to streamline their efforts and enhance productivity.
5. Building strong partnerships
At Sendbird, collaboration is key. The partnerships between our security teams and other departments, particularly between Product Security and Engineering, are among the strongest in the industry. These collaborations ensure that security is integrated into every stage of our product development lifecycle, enabling us to proactively address potential vulnerabilities.
6. A collaborative "never say no" philosophy
At Sendbird, we rarely say "no" outright. Instead, we provide a comprehensive risk assessment: "If you do this, the risk to the company increases by ‘x’; if you implement it in this alternative way, the risk decreases by ‘y’; if you do this, the risk remains unchanged." We then collaborate with the team to evaluate the costs and benefits of each option, ensuring the best decision is made for the business. This philosophy builds trust, fosters ownership, and positions the security team as a helpful partner rather than an obstacle.
7. Multi layer security approach
We recognize that mistakes happen — people can check in a misconfigured setting or select the wrong option. Therefore, we design our systems with multiple layers of security, ensuring that more than one failure would be required for a significant security incident to occur. This layered defense strategy adds resilience and robustness to our security posture.
8. Automate everything
We embrace an automation-first mindset. All our security engineers write code, and others use low-code/no-code solutions to automate as many functions as possible. This approach increases efficiency, reduces human errors, and allows us to accomplish more with fewer resources.
9. Reporting to the board
To hold ourselves accountable, we provide the company's board of directors with six-monthly updates on the state of our security program. This transparency underscores our dedication to maintaining high-security standards and continuously improving our practices.
10. Giving back to the community
We have benefited immensely from the knowledge shared by others through blogs, conferences, and open-source software. In the spirit of giving back, we are committed to sharing our insights and experiences with the wider community. Starting this year, our team has set goals to publicly discuss and write about some of our internal projects, hoping to help others.
This blog is just the beginning of our efforts to contribute to the broader security community.
At Sendbird, security is a continuous journey of improvement and collaboration. We are dedicated to protecting your data and supporting the business while giving back to the community that has helped us. Stay tuned for more insights and updates on our security initiatives!
