Security
How Brightvale protects platform and customer data.
Security program
Brightvale Technologies, Inc. maintains a security program aligned to SOC 2 Trust Services Criteria and ISO 27001 control families. SOC 2 Type II audit is in progress with target completion in 2026.
Security is owned by our CTO organization with dedicated infrastructure, application security, and GRC functions.
Infrastructure
Platform infrastructure includes:
- Production isolated from development; separate credentials and networks.
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Daily encrypted backups with tested restore procedures.
- DDoS mitigation and WAF at the edge.
- Multi-AZ deployment for critical services.
Access control
Role-based access with least privilege, MFA for production systems, quarterly access reviews, and immediate revocation on role change.
Customer administrators control user provisioning within their tenant boundaries.
Secure development
Code review, dependency scanning, static analysis, and segregated CI/CD pipelines. Production deploys require approval and automated health checks.
Secrets are stored in dedicated vaults — never in source control.
Monitoring & incident response
Centralized logging, anomaly detection, and 24/7 on-call rotation for severity-1 incidents. Customers with premium support receive proactive notification for confirmed platform incidents affecting their tenant.
Post-incident reviews document root cause, remediation, and customer communication timelines.
Coordinated disclosure
Report vulnerabilities to security@brightvale.co. Include proof-of-concept, impact, and reproduction steps. We aim to acknowledge within two business days.
Please do not access customer data, perform destructive testing, or publicly disclose before we confirm remediation or agreed timeline.
We do not offer a paid bug bounty at this time but recognize researchers in release notes when permitted.
Security documentation
Enterprise prospects may request our security questionnaire, pen test executive summary, and architecture overview under NDA via compliance@brightvale.co.