Brightest for IT Teams

The AWS data center infrastructure used to provide all Brightest services by default is located in the United States, however AWS also offers us the flexibility to relocate your data storage and application servers to a European Union (EU) data center in either Germany or Ireland if and where your organization needs to comply with GDPR and EU data compliance laws. The cloud IT infrastructure AWS provides Brightest is designed and managed to meet security best practices and a variety of IT security standards, including:

• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)

• SOC 2

• SOC 3

• FISMA, DIACAP, and FedRAMP

• DOD CSM Levels 1-5

• PCI DSS Level 1

• ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018

• NIS 2 Directive (Directive (EU) 2022/2555)

The AWS infrastructure platform provides gives Brightest web, file, and database hosting infrastructure that meets the following standards:

• Criminal Justice Information Services (CJIS)

• Cloud Security Alliance (CSA)

• Family Educational Rights and Privacy Act (FERPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Motion Picture Association of America (MPAA)

For more information on our cloud hosting and database security levels, please see AWS's security resources and policies at https://aws.amazon.com/security/ and https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/introduction-aws-security.pdf

To read more about AWS GDPR compliance, please see https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/ and AWS' GDPR data processing addendum

International Data Compliance

We work closely with third party privacy and security firms and vendors to ensure our platform meets international data protection, privacy, and processing standards. Brightest's Data Processing Agreements comply with all applicable GDPR requirements, and we completed a GDPR assessment verified by Osano in February, 2021. Brightest is also compliant with US state and federal data security laws, including the California Consumer Privacy Act (CCPA).

For more information on our privacy and data processing policies, please see our privacy policy.

If you have any questions or comments about our security policies, approach, work, or information, or would like to report a security concern please contact us here.

In addition to ensuring strong controls within our application technology, architecture, and hosting provider ecosystem, we also take dedicated, diligent internal steps at Brightest to monitor and assess our security programs and effectiveness to mitigate any vulnerabilities or issues. That includes:

• Third party security assessments and penetration tests

• 24/7 application security and performance monitoring and log analysis using systems like Sentry, NewRelic, Papertrail, CloudWatch, and other systems

• Routine vulnerability scanning

• Strict access controls (requiring 2FA) and employee security training

• Routine, internal testing and business continuity planning

• Ongoing maintenance of our Information Security Management System (ISMS) policies and procedures. Our corporate ISMS policy applies to all Brightest management, staff, contractors, and third-party service providers under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of our ISMS.

Enterprise and Employee (Individual) Data Privacy

Our technology, with built-in roles, permissions, access levels, and data environments, is designed and implemented to ensure your company’s information is only accessible by authorized individuals. Where needed, Brightest can support corporate directory single-sign on (SSO), Security Assertion Markup Language (SAML), Multi-Factor Authentication (MFA), and identity provider (IDP)or HR information system (HRIS) integrations to provide secure directory sync and access privileges between your company's Brightest use and employee access, roles, permissions, and user authentication. Brightest can work with IDPs like Microsoft Active Directory, Okta, Auth0, Shibboleth, and others, and we're an ADP developer marketplace partner.

We take additional steps to verify that any 3rd party service provider integrated into Brightest: (1) conducts background checks on all new employees, (2) enforces info security training for all employees, (3) offers secure, stable, modern web application infrastructure and technologies that are widely used in the industry by best-in-class companines, (4) is regularly audited by 3rd party monitoring organizations, and (5) is PCI-compliant and complies with other modern information security and IMS standards like ISO/IEC 27001 and SOC 2. Our only third-party service providers integrated into our application that can receive personal information (PIIA) beyond AWS are Stripe and Twilio Sendgrid for transactional user email notifications and donation reciept emails, both of whom meet these strict requirements.

Whatever your company’s data privacy and IT security needs are, Brightest can be configured to meet them.

🖥️Brightest for IT Teams

Brightest Offers Enterprise Grade Security to Protect Your Data and Reduce Your Risk.