Last updated July 14, 2022
We often get questions from our customers and users about our security practices and what we’re doing to protect their data. We like to be as transparent as possible, therefore this document will explain some of the most important things we do to protect your data. We also will explain what you can do to protect your own data when using Brightspot especially around your password.
It is the CTO’s responsibility to see this policy is enforced.
We may revise these guidelines from time to time. The most current version of the guidelines will be available at www.getbrightspot.com/security-disclosure-policy.
Data Handling. We take handling your data at rest or in transit very seriously. We classify all data, and our employees are trained on proper handling of your (and our) data. Our employees are granted access to systems that hold your data on a “need-to-know” basis (i.e. if required to perform their job). All our employees who have access to systems that hold your data are required to use strong passwords and multi-factor authentication. We also suggest that you use strong passwords (long character passwords) and ensure you leverage multi-factor authentication especially when using single sign-on with Brightspot to ensure security is handled on your user side.
Data Encryption. We encrypt all communication between you and our applications using best in class industry standards of SSL/TLS encryption. Our cloud database provider encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest. We hash all passwords and have no way to decrypt them so if you forget your password, resetting it is the only option. We store all your data in ISO 27001 compliant data centers in Canada.
Credit Card Safety. When you purchase a paid subscription with Brightspot, we neither store nor transmit your credit card information. We use Stripe, a PCI-DSS Level 1 compliant payment processor to handle all credit card transactions.
Monitoring. We actively monitor security issues and releases of our technical stack and deploy patches as quickly as possible. We utilize multiple types of logging to monitor the live (and past) state of our application to help detect and recover from any security events. We maintain a list of our vendors’ security policies and monitor our vendors for security breaches that could lead back to our application.
Doing The Right Thing. One of our core values is that we do the right thing. We embody this by keeping our technical stack, our application/platform, and our business processes lean and free of unnecessary complexity. We automate as much testing, deployment and backup processes as possible to reduce any human error. All new code is seen by at least two pairs of eyes and evaluated against our secure coding standards. We regularly tear out code that has reached the end of its usefulness to keep our application.
Going Beyond. Another of our core values is that we get stuff done and go beyond. All of our employees receive regular security and data handling training to be made aware of common and new security threats and how to mitigate them. Our engineering staff are constantly evaluating and integrating new technologies into our stack and application to create the best possible user experience and to increase security.
Disciplinary Action. Employees who violate this policy may face disciplinary consequences in proportion to their violation. Brightspot management will determine how serious an employee’s offense is and take the appropriate action.
We Do Much More. This is not a comprehensive list of the security measures we keep to safeguard your data. If you have any more questions please contact us, we’re glad to answer any and all of your questions.
Use Multi-factor Authentication (or SSO). Our application allows you and your colleagues to enable multi-factor authentication, as part of your Single Sign On (SSO) process. Since we integrate with most SAML providers, you don’t need to remember another password to gain access to Brightspot.
Manage Users Automatically. Manually adding and removing users and permissions can often be overlooked and are a common source of unauthorized access to data (i.e. it can be easy to forget to remove an employee from Brightspot when they leave your organization). Brightspot is working on adding IdP support via the SCIM 2.0 protocol (Okta, Azure, OneLogin, G-Suite) to help automatically sync which users should have access to the platform and data.
Reporting Security Issues. If you believe you’ve found something in Brightspot that has security implications, please email them to follow our Responsible Disclosure Policy.
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us firstname.lastname@example.org. We will acknowledge your email within five business days.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Brightspot service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
While researching, we’d like you to refrain from:
Distributed Denial of Service (DDoS)
Social engineering or phishing of Brightspot employees or contractors
Any attacks against Brightspot’s physical property or data centers
Thank you for helping to keep Brightspot and our users safe! Brightspot is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at support@getBrightspot.com.