Brightest Offers Enterprise Grade Security to Protect Your Data and Reduce Your Risk.

Last revised: January 4, 2023

At Brightest, we closely integrate web application security and privacy best practices throughout our development, web architecture, and DevOps processes, allowing us to provide enterprise-ready social impact, sustainability, corporate social responsibility (CSR), and environmental social governance (ESG) software that meets your security controls and requirements, earns your trust, and complies with international data privacy laws.

Today, our clients include governments, publicly-traded companies, and organizations operating in highly-regulated industries, thanks to the strength and consistency of our security controls and risk management practices.

Brightest is a Django (used by The Washington Post, Instagram, Dropbox, Mozilla, Spotify, and others) and React (used by Bloomberg, Facebook, Salesforce, Microsoft, and Uber) cloud software application offering a RESTful API. All Brightest customer data is stored in secure PostgreSQL database instances on Amazon Web Services (AWS) with regular, recurring data backups and security monitoring. All Brightest data is fully encrypted, both in-transit and at rest.

Brightest's underlying web infrastructure runs on AWS EC2 servers, Docker, and Kubernetes, the container system underlying Google Cloud. This approach provides us considerable security, flexibility, and scalability across different regions and client needs.

Beyond encryption, our application is developed on modern, secure web application architecture with proactive steps and security architecture in place to test, mitigate, monitor, and prevent any back-door access, cross site scripting attacks (XSS), cross site request forgery (CSRF), SQL injection, clickjacking, and unapproved cross-origin (CORS) scripts. We enforce SSL/HTTPS throughout our application on all requests.

The AWS data center infrastructure used to provide all Brightest services by default is located in the United States, however AWS also offers us the flexibility to relocate your data storage and application servers to a European Union (EU) data center in either Germany or Ireland if and where your organization needs to comply with GDPR and EU data compliance laws. The cloud IT infrastructure AWS provides Brightest is designed and managed to meet security best practices and a variety of IT security standards, including:

• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)

• SOC 2

• SOC 3

• FISMA, DIACAP, and FedRAMP

• DOD CSM Levels 1-5

• PCI DSS Level 1

• ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018

In addition, the flexibility and control the AWS platform provides gives Brightest web, file, and database hosting infrastructure that meets the following standards:

• Criminal Justice Information Services (CJIS)

• Cloud Security Alliance (CSA)

• Family Educational Rights and Privacy Act (FERPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Motion Picture Association of America (MPAA)

For more information on our cloud hosting and database security levels, please see AWS's security resources and policies at https://aws.amazon.com/security/ and https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/introduction-aws-security.pdf

To read more about AWS GDPR compliance, please see https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/ and AWS' GDPR data processing addendum

Brightest IT Security Policies and Controls

In addition to ensuring strong controls within our application technology, architecture, and hosting provider ecosystem, we also take dedicated, diligent internal steps at Brightest to monitor and assess our security programs and effectiveness to mitigate any vulnerabilities or issues. That includes:

• Third party security assessments and penetration tests

• 24/7 application security and performance monitoring and log analysis using systems like Sentry, NewRelic, Papertrail, CloudWatch, and other systems

• Routine vulnerability scanning

• Strict access controls (requiring 2FA) and employee security training

• Routine, internal testing and business continuity planning

• Ongoing maintenance of our Information Security Management System (ISMS) policies and procedures. Our corporate ISMS policy applies to all Brightest management, staff, contractors, and third-party service providers under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of our ISMS.

Enterprise and Employee (Individual) Data Privacy

Our technology, with built-in roles, permissions, access levels, and data environments, is designed and implemented to ensure your company’s information is only accessible by authorized individuals. Where needed, Brightest can support corporate directory single-sign on (SSO), Security Assertion Markup Language (SAML), Multi-Factor Authentication (MFA), and identity provider (IDP)or HR information system (HRIS) integrations to provide secure directory sync and access privileges between your company's Brightest use and employee access, roles, permissions, and user authentication. Brightest can work with IDPs like Microsoft Active Directory, Okta, Auth0, Shibboleth, and others, and we're an ADP developer marketplace partner.

We take additional steps to verify that any 3rd party service provider integrated into Brightest: (1) conducts background checks on all new employees, (2) enforces info security training for all employees, (3) offers secure, stable, modern web application infrastructure and technologies that are widely used in the industry by best-in-class companines, (4) is regularly audited by 3rd party monitoring organizations, and (5) is PCI-compliant and complies with other modern information security and IMS standards like ISO/IEC 27001 and SOC 2. Our only third-party service providers integrated into our application that can receive personal information (PIIA) beyond AWS are Stripe and Twilio Sendgrid for transactional user email notifications and donation reciept emails, both of whom meet these strict requirements.

Whatever your company’s data privacy and IT security needs are, Brightest can be configured to meet them.

International Data Compliance

We work closely with third party privacy and security firms and vendors to ensure our platform meets international data protection, privacy, and processing standards. Brightest's Data Processing Agreements comply with all applicable GDPR requirements, and we completed a GDPR assessment verified by Osano in February, 2021. Brightest is also compliant with US state and federal data security laws, including the California Consumer Privacy Act (CCPA).

For more information on our privacy and data processing policies, please see our privacy policy.

If you have any questions or comments about our security policies, approach, work, or information, or would like to report a security concern please contact us here.