Security

Bump.sh is a cloud-hosted SaaS platform operated by It Ducks SAS, based in France, designed for publishing, hosting, and comparing API documentation derived from OpenAPI and AsyncAPI specifications. The service emphasizes security, privacy, and operational controls, focusing on handling documentation artifacts without accessing customer production systems or processing runtime data. Hosted on Heroku (AWS) with a managed PostgreSQL database provided by Crunchy Data, Bump.sh ensures data residency in Europe and supports SSO and centralized access through WorkOS. It incorporates automated dependency monitoring, static security analysis, and mandatory code reviews to manage application and supply chain security. While the platform lacks formal third-party certifications like SOC 2 or ISO 27001, it offers transparency in architecture and allows enterprise customers to conduct penetration tests annually. Security and compliance information is readily available through various dedicated documents, and the company's infrastructure is monitored for incidents, although it doesn't conduct formal vendor security audits.