Brightflag Trust and Security
GDPR, CCPA and CPRA
Brightflag is committed to ensuring the protection of all personal data entrusted to us and fully complies with all applicable privacy laws including the General Data Protection Regulation, the California Consumer Privacy Act and the California Privacy Rights Act.
ISO/IEC 27001:2013
ISO/IEC 27001:2013 Information security management systems certification
SOC 1 and SOC 2
Brightflag prepares annual reports for AICPA System and Organization Controls (SOC) across all 5 Trust Categories:
- SOC 1 Type 2 (Controls at Service Organization Relevant to User Entities’ Internal Control over Financial Reporting); and
- SOC 2 Type 2 (Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy).
At Brightflag, we take information security very seriously and pride ourselves on having a robust, best-in-class information security infrastructure which prioritizes the security of our customers’ data. We embrace security by design in all of our processes and infrastructure and have worked hard to build a culture of compliance across our business. We are regularly independently audited from an information security and privacy compliance perspective and conform to best practice industry standards. We are transparent so we maintain a Trust Center which contains copies of our certifications and independent test reports along with our information security and privacy policies. We are happy to facilitate access to the Trust Center for prospects and existing customers. If you would like access please contact us. In the meantime, below is a summary of the main security, privacy and compliance activities here at Brightflag and some frequently asked questions which we hope will be helpful:
Where is Brightflag Customer Data located?
Brightflag is a cloud based Software as a Service. Our data is stored in secure data centers in Europe (Ireland), the United States and Australia. The choice of data center is determined by the location of our customers and what makes most sense for them given the origination of their data.
How does Brightflag process personal data?
For services offered to our customers, Brightflag is a data processor with respect to any personal data processed and the customer is the data controller. You can find a more detailed summary of how Brightflag processes personal data by going to the Brightflag Privacy Notice.
What technical and organisational measures has Brightflag implemented to optimise data security?
Independent Audits and Penetration Testing
Brightflag’s data security infrastructure is regularly independently audited to ISO 27001:2013, SOC 1 and SOC 2 standards and externally penetration tested by CREST certified security testers .
Network Security
Brightflag employs a number of industry gold standard methods to detect and prevent any security threats, such as AWS security services, SIEM, firewalls, and intrusion detection and prevention systems to ensure that all network traffic is secure and to prevent Distributed Denial of Service (DDoS) attacks.
Vulnerability Management
Brightflag has a continuous vulnerability scanning and patching program using industry-leading services and is externally validated through ISO 27001:2013, SOC 1 and SOC 2.
Data Encryption
All data processed by Brightflag is encrypted at rest by AES-256. Encryption keys are managed using AWS Key Management System (KMS). Data in transit is encrypted with HTTPS using minimum TLS 1.2.
Identity and Access Management
Brightflag supports single sign-on using the SAML protocol. Example integrations include Active Directory Federation Services (ADFS), Azure Active Directory, Google, Okta, OneLogin, and Ping Identity. In addition, Brightflag supports the SCIM standard for user provisioning, permission management, and de-provisioning. The Brightflag API authenticates via OAuth.
Role-Based Access Controls
Brightflag supports a number of out-of-box user roles and access permissions.
A more detailed breakdown of user roles and permissions is available on the Brightflag Help Center.
IP Whitelisting
If desired, we can restrict access to a set of IP ranges.
How does Brightflag support Customers with data backup and deletion?
Data retention and deletion are configurable to our customers’ requirements. Brightflag’s data retention management ensures that records are not retained for longer than needed. We fully support our customers to comply with data subject access requests (dSAR).
Describe Brightflag’s application infrastructure
Our SaaS application is hosted in a multi-tenant AWS environment with secure infrastructure configuration and monitoring by our Security Operations Center (SOC).
Who in Brightflag can access Customer Data?
Access to customer data by Brightflag personnel, for example, to provide technical support, is strictly on an as-needed basis in line with our Role-Based Access Control Policy.
How can Customer Data be restored in the event of any incident?
Customer data is regularly backed up to AWS data centers to ensure that data is recoverable as part of our business continuity and disaster recovery planning. Brightflag performs full database backups. Our databases are also deployed as standby databases in other data centers, providing more up to date recovery from failure.
Application Availability
Our applications are built in a cluster to recover and scale with demand automatically to prevent services going offline.
Logging and Monitoring
Brightflag customers can track important application actions performed in-app. In addition, Brightflag can support requests for fine grained audit logs.
Continuous Improvement, Training, Awareness and Phishing
At Brightflag, we are conscious that the world of information security and privacy is ever evolving and we always aim to stay a few steps ahead. We are continuously improving our information security and privacy procedures. Brightflag employees undergo mandatory security and privacy training on commencement and during their employment with Brightflag. We also run bespoke team security and data handling training as well as regular phishing campaigns to simulate the latest techniques that hackers are using to maintain a high level of employee awareness.