This page provides essential information about the Security aspects of Bright.

Everything you need to know about Bright's security processes

Bright Software Group are Cyber Essentials Plus certified

At Bright, we have implemented a multi-layered approach to security. We employ a number of technical and organisational measures to help monitor and maintain the overall security posture of our infrastructure and applications, guarding them against cyber-attack and helping to ensure the security of our clients’ data. 

We are Cyber Essentials Plus certified, and aligned to ISO 27001 with all systems and data residing in ISO 27001 / SOC 2 certified data centres.

With a dedicated Chief Information Security Officer (CISO) in place, Bright are committed to continuous improvement across all areas of security and data protection. 

Bright use an online provider to deliver security awareness, training, and phishing exercises to all staff on a regular basis. We also have a dedicated Information Security channel for education, communication, and collaboration. 

To help better protect our customers from receiving phishing emails purporting to be from Bright, we ensure that Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance (DMARC) records are fully valid and in place.

Security Awareness, Training & Phishing

Bright credentials are unique for all employees and contractors. Multi-factor authentication (MFA) is mandated and enforced (where possible) with Authenticator Apps preferred.  

For corporate Domain access, SMS as a second authentication factor is explicitly disabled to prevent SIM swapping and social engineering MFA fatigue attacks. 

Credentials and Multi-Factor Authentication

All corporate devices are centrally managed to ensure that a standard build configuration is maintained. This mandates disk encryption, firewall always-on settings and protective software installations. Hardening guidelines follow the latest Centre for Internet Security (CIS) benchmarks. 

Endpoint devices are protected from accessing malicious domains at the DNS level using a secure internet and web gateway, updated with global threat intelligence in real time. This ensures a level of protection wherever the device is used. 

Endpoint devices are further protected using industry leading Endpoint Detection & Response (EDR) technology to guard against malware, maintain an inventory of software on each machine, and the status of that software regarding security vulnerabilities and patch level. This feeds back into our centralised management tooling to ensure operating systems and deployed software are always maintained and up to date. 

EDR functionality is being expanded to include Managed Detection & Response (MDR) through a Managed Security Service Provider (MSSP) for 24/7 coverage.

Corporate Devices

The Bright corporate network maintains no key infrastructure and simply provides internet connectivity to already protected corporate devices via WPA2-PSK encrypted Wi-Fi with strong password (minimum 14-character length password). Bright are moving corporate access to certificate-based authentication. 

Internet connectivity is provided through dual pipes in an active/active configuration, protected using industry standard gateway technology. 

The corporate network is physically and logically separate to our customer application infrastructure, with no direct connectivity to client application cloud infrastructure. 

Corporate Network

All customer applications developed by Bright are developed in-house. We have a defined Secure Software Development Lifecycle (SSDLC) that incorporates: 

Training and awareness of the OWASP Top 10 web application security vulnerabilities;  

Use of secure development frameworks;  

IDE in-line code quality and security analysis; 

3rd party dependency management (both for security vulnerabilities and general updates); 

In-line Static Application Security Testing (SAST); 

Regular Dynamic Application Security Testing (DAST); 

Customer Application Development

Bright customer SaaS applications are hosted in GDPR-compliant, ISO 27001 and SOC2 certified, secure public cloud infrastructure data centres where, as per the shared responsibility model, the provider is responsible for the security “of” the cloud: the environmental, physical, and underlying compute infrastructure. 

Bright use both Microsoft Azure and Amazon Web Services (AWS) public cloud services with data hosted in European regions. Where applicable, US and Indian client data is hosted in the associated relevant jurisdiction. 

Bright is responsible for the security “in” the cloud: the applications we deploy and the configuration of the infrastructure to support those deployments. 

We use cloud native tooling to constantly assess our cloud infrastructure against industry standard guidelines and best practice and follow recommended advice to maintain the overall security posture. The latest Centre for Internet Security (CIS) benchmarks are also considered as well as running a SIEM 24/7 with automated anomaly alerting.

Customer Application Infrastructure

Where our applications store credentials, these are encrypted in our database using an industry standard secure, one-way cryptographic hashing function with salt. Passwords are not stored in plaintext, and it is not possible to reverse engineer the stored equivalent.  

Bright are rolling out Azure B2C customer identity access management (CIAM) to prevent the need for storing password credentials within Bright application infrastructure. 

Data in Transit: HTTPS is mandated using minimum TLS v1.2 and prioritising the strongest SHA-256 cipher suites. 

Data at Rest: transparent data encryption is mandated for all databases, with secure key vault storage being used. 

Encryption

Bright deploy industry standard tooling to guard against Distributed Denial of Service (DDoS) attacks which can be used to take our customer services offline. 

DDoS Protection

Bright subscribe to multiple resources and threat intelligence feeds to help drive our situational awareness and understand emerging threats, topics and breaches within industry which are used to help drive thinking, guidance and policy going forwards. 

Emerging Threats

At Bright Software Group, we have been ISO 27001 certified since 2021 and have recently undergone an annual surveillance audit (summer 2023) to maintain our certification.

ISO 27001

Bright are committed to complying with current data protection legislation in both Ireland and the UK. We are bound by the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 and maintain an up-to-date registration with the Information Commissioner’s Office (ICO) in the UK. 

We fully respect the rights of data subjects and do not sell, rent, or share data with any third party unless previously agreed as part of any contractual arrangement – published in our online list of subprocessors – to help provide our services. We contractually engage with third parties to ensure that they are subject to the same security standards in-line with GDPR requirements. 

Privacy / GDPR

You can download a GDPR-compliant Data Processing Addendum (DPA) for your records, depending on your chosen service: 

Product Suite	Data Processor	DPA Link	Version
BrightPay Products	Thesaurus Software Ltd t/a Bright	here	v1.3.0
Surf products	SurfAccounts Ltd	here	v1.3.0
Relate products	Relate Software Development Ltd	here	v1.3.0
BTCSoftware products	BTCSoftware Ltd	here	v1.3.0
AccountancyManager products	AccountancyManager (AM) Ltd	here	v1.3.0

Stay safe with Bright

Bright Software Group are Cyber Essentials Plus certified

Bright's security processes and policies

Data Processing Addendum