Security

Last updated: January 2023

Brightloom is a privacy-first, security-focused software company that understands the trust that customers put into their brands and brands' vendors. As such, we take an 8-point view on maintaining the highest level of integrity in the way we manage customer data. 


Culture

Security and privacy are in our DNA. We practice Security by Design (SbD) and Privacy by Design (PbD). Anytime one of our teams kicks off a project or has an idea that they want to put in motion, they always include the security and privacy team. Cross-team teamwork is critical to our security and privacy success because security and privacy are everyone's job.

Certifications

We are a cloud-native SaaS and certify to the standards set forth by the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment - the Cloud Security Alliance (CSA). We are Level One Certified on the STAR.

Zero Trust Architecture

Since we’re a remote and cloud-native company, we deploy a Zero Trust approach to our security. First, we’ve deployed a robust Identity and Access Management (IAM) strategy. Second, we have endpoint security and private network connectivity. Third, we’ve enabled cloud security solutions to protect all of our critical workloads. And last but not least, we work with all of our teams to build out strong people and processes around resource access using the method of least privilege.

Vulnerability Management

Brightloom has vulnerability policies, standards and procedures that follow industry standard best practices. We view vulnerability management as a three legged stool: 1) scanner deployment for systems, web applications and images, 2) security awareness to combat attempts to leverage our people to get into our systems, 3) communications - delivering the vulnerabilities to the proper teams, ensuring that we meet our vulnerability SLA standards, and empowering the different technology teams to fix any vulnerabilities.

Logging, Monitoring and Alerting

Our security monitoring and alerting system is jointly run by the Information Security team and the DevOps team. Traffic and system logs are ingested from all of our platform instances to give us full visibility into what’s going on at any time.

    Application Security

    Our development team takes secure coding seriously. We have Secure Software Development Life Cycle policies and procedures that are part of our coding best practices. Our developers use Application Security Testing (AST) tools that is rigorously run on our code in all stages of the CI/CD pipeline

    Incident Response and Disaster Recovery

    We have a well-developed incident response plan and processes for security incidents that impact our clients.

    Data Protection

    Brightloom doesn’t require PD to provide our service, but if it’s a requirement that we need it from our brands, our team in Data Engineering identifies PD and then protects it via encryption or secure deletion if it’s not needed for AI/ML models. We treat Personal Data (PD) as critical to our success by protecting it as soon as we ingest it all the way through secure deletion.