Security

BlackLine is committed to notifying you of security vulnerabilities affecting you or our platform. We will publish security advisories here.


BlackLine will never ask you for your password. Do not give out your user credentials or login information to anyone. If you have any issues with your password or logging into your application, you may reset your password from the login page, or contact your BlackLine System Admin. If you are still having trouble accessing your BlackLine instance, contact Support. If you suspect a security threat or vulnerability, please submit a report to our Information Security team at security@blackline.com.

Compliance


As part of our commitment to maintaining a world-class security infrastructure, we validate the effectiveness of our information security controls by periodically attesting against internationally recognized auditing standards - SSAE 18 / ISAE 3402 SOC 1 - Type 2 and SSAE 18 / ISAE 3000 [Revised] SOC 2 - Type 2, and certifying against internationally recognized security standards - ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO/IEC 27701. Our world-class controls and safeguards translate to unsurpassed security and privacy for our customers' information.

SOC 1 Type 2 Report

A SOC 1 Type 2 report is an attestation report issued by independentauditors in accordance with Statements on Standards of Attestation Engagements (SSAE) No. 18 on whether the controls at a service organization relevant to user entities' internal controls over financial reporting are designed appropriately and are operating effectively throughout a period of time. For further information please visit:

https://us.aicpa.org/

AICPA SOC

SOC 2 Type 2 Report

A SOC 2 Type 2 report is an attestation report issued by independentauditors on whether the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems (Trust Services Criteria) are designed appropriately and are operating effectively throughout a period of time. BlackLine's SOC 2 Type 2 report covers the Security, Availability, and Confidentiality Trust Services Criteria. For further information please visit:

https://us.aicpa.org/

AICPA SOC

SOC 3 Report

A SOC 3 report is an attestation report issued by independentauditors that provides a summary on whether the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems (Trust Services Criteria) are designed appropriately and are operating effectively throughout a period of time. BlackLine's SOC 3 report covers the Security, Availability, and Confidentiality Trust Services Criteria. This is a general use report that can be freely distributed, and it does not contain the auditor's test of controls or results. For further information please visit:

https://us.aicpa.org/

AICPA SOC

ISO 27001 Certification

An ISO 27001 certification is issued to organizations that have attested to establishing, implementing, maintaining, and continually improving an information security management system in accordance with the International Standard ISO/IEC 27001. For further information please visit:


https://www.iso.org/

BSI ISO / IEC 27001 Information Security Management Certified

ISO 27017 Certification

An ISO 27017 certification is issued to organizations that have attested to establishing and implementing information security controls to address cloud-specific information security threats and risks as a cloud service customer and a cloud service provider in accordance with the International Standard ISO/IEC 27017. For further information please visit:

https://www.iso.org/

BSI ISO / IEC 27001 Information Security Management Certified

ISO 27018 Certification

An ISO 27018 certification is issued to organizations that have attested to implementing measures to protect PII (Personally Identifiable Information) in public cloud computing environments that provide information processing services as PII processors via cloud computing under contract to other organizations in accordance with the International Standard ISO/IEC 27018. For further information please visit:

https://www.iso.org/

BSI ISO / IEC 27001 Information Security Management Certified

ISO 27701 Certification

An ISO 27701 certification is issued to organizations that have attested to establishing, implementing, maintaining, and continually improving a privacy information management system as a PII (Personally Identifiable Information) controller and/or processor in accordance with the International Standard ISO/IEC 27701. For further information please visit:


https://www.iso.org/


For information about BlackLine's privacy program please see our Privacy Center page.

BSI ISO / IEC 27001 Information Security Management Certified

Obtaining BlackLine SOC Reports and ISO Certifications

The most recent SOC reports and ISO certifications listed above for the BlackLine Financial Controls and Automation Platform and BlackLine Cash Application are available self-serve for customers in the BlackLine Community.BlackLine Prospects can request a copy of the most recent SOC reports and ISO certifications listed above for the BlackLine Financial Controls and Automation Platform and BlackLine Cash Application through their sales representative.


Datacenters and Hosting Environments

BlackLine partners with top tier datacenters and hosting environments that are SOC 2 Type 2 attested and ISO 27001 certified to ensure the availability and security of our service and to protect client's data from theft, corruption, or mishandling.

Best Practices

BlackLine is committed to ensuring our customers are accessing their applications securely. Given the ever evolving security threats present, we recommend you take certain precautions to help protect your organization from unauthorized access.


IP Allow-List
IP Allow-list from designated IP addresses will limit users who do not have access, via the corporate LAN or VPN. By using IP Allow-list, administrators can identify the range of accepted IP Addresses that should have access to BlackLine. Users attempting to access BlackLine who are not part of the range of IP Addresses will not be granted access.


Strengthen Password Policies
An effective way to protect your company is to strengthen password policies. You may do this by visiting the Security Settings page in the application.

Physical Security

Our service is collocated in dedicated spaces at top-tier data centers. These facilities provide carrier-level support, including:


Access control and physical security

  • 24-hour manned security, including foot patrols and perimeter inspections

  • Computing equipment in access-controlled steel cages

  • Video surveillance throughout facility and perimeter

  • Building engineered for local seismic, storm, and flood risks

  • Tracking of asset removal

  • Secure, On-Campus Network Operations Center to Monitor Building Management System


Environmental controls

  • Entire HVAC plant—chillers, compressors, heat exchangers, and distribution systems — monitored for all environmental operating parameters by a Building Management System

  • Redundant N+2 HVAC cooling system with 100% Service Level Agreement


Power

  • Underground utility power feed

  • Redundant (N+2) CPS/UPS systems

  • Redundant power distribution units (PDUs)

  • Diesel generators with on-site diesel fuel storage


Network

  • Redundant internal networks

  • Network neutral; connects to all major carriers and located near major Internet hubs

  • High bandwidth capacity


Fire detection and suppression

  • State-of-the-art fire detection and suppression systems using the latest advances in pre-action water

Protection

Secure transmission and sessions

  • Connection to the BlackLine OnDemand environment is via TLS cryptographic protocols ensuring that our users have a secure encrypted connection


Network protection

  • Perimeter firewalls and edge routers block unused protocols

  • Internal firewalls segregate traffic between the application and database tiers

  • Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports

  • A third-party service provider periodically scans the network externally and alerts changes in baseline configuration


Disaster Recovery

  • The BlackLine OnDemand service performs a near real-time data replication between the production data center and the disaster recovery center

  • Data is transmitted across an encrypted tunnel


Backups

  • All data is backed up at each data center on a daily basis.


Internal and Third-party testing and assessments

  • BlackLine tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly:

  • Application vulnerability assessments

  • Network vulnerability assessments

  • Penetration testing and code review

  • Security control framework


Security Monitoring

  • Our Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.