Security

At Bright, we have implemented a multi-layered approach to security. We employ a number of technical and organisational measures to help monitor and maintain the overall security posture of our infrastructure and applications, guarding them against cyber-attack and helping to ensure the security of our clients’ data. 

With a dedicated Chief Information Security Officer (CISO) in place, Bright are committed to continuous improvement across all areas of security and data protection. 

Security Awareness, Training & Phishing 

Bright use an online provider to deliver security awareness, training, and phishing exercises to all staff on a regular basis. We also have a dedicated Information Security channel for education, communication, and collaboration. 

To help better protect our customers from receiving phishing emails purporting to be from Bright, we ensure that Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance (DMARC) records are fully valid and in place. 

Credentials and Multi-Factor Authentication 

Bright credentials are unique for all employees and contractors. Multi-factor authentication (MFA) is mandated and enforced (where possible) with Authenticator Apps preferred.  

For corporate Domain access, SMS as a second authentication factor is explicitly disabled to prevent SIM swapping and social engineering MFA fatigue attacks. 

Corporate Devices 

All corporate devices are centrally managed to ensure that a standard build configuration is maintained. This mandates disk encryption, firewall always-on settings and protective software installations. Hardening guidelines follow the latest Centre for Internet Security (CIS) benchmarks. 

Endpoint devices are protected from accessing malicious domains at the DNS level using a secure internet and web gateway, updated with global threat intelligence in real time. This ensures a level of protection wherever the device is used. 

Endpoint devices are further protected using industry leading Endpoint Detection & Response (EDR) technology to guard against malware, maintain an inventory of software on each machine, and the status of that software regarding security vulnerabilities and patch level. This feeds back into our centralised management tooling to ensure operating systems and deployed software are always maintained and up to date. 

EDR functionality is being expanded to include Managed Detection & Response (MDR) through a Managed Security Service Provider (MSSP) for 24/7 coverage. 

Corporate Network 

The Bright corporate network maintains no key infrastructure and simply provides internet connectivity to already protected corporate devices via WPA2-PSK encrypted Wi-Fi with strong password (minimum 14-character length password). Bright are moving corporate access to certificate-based authentication. 

Internet connectivity is provided through dual pipes in an active/passive configuration, protected using industry standard gateway technology. 

The corporate network is physically and logically separate to our customer application infrastructure, with no direct connectivity to client application cloud infrastructure. 

Cyber Essentials / Plus 

From early 2023, Bright will be applying to become Cyber Essentials certified and then expand to Cyber Essentials Plus certification through an independent audit. 

Customer Application Development 

All customer applications developed by Bright are developed in-house. We have a defined Secure Software Development Lifecycle (SSDLC) that incorporates: 

  • training and awareness of the OWASP Top 10 web application security vulnerabilities;  
  • centralised source-code management; 
  • use of secure development frameworks;  
  • IDE in-line code quality and security analysis; 
  • 3rd party dependency management (both for security vulnerabilities and general updates); 
  • mandated code peer reviews; 
  • in-line Static Application Security Testing (SAST); 
  • regular Dynamic Application Security Testing (DAST); 
  • regular vulnerability scanning; 
  • regular penetration testing. 

Customer Application Infrastructure 

Bright customer SaaS applications are hosted in GDPR-compliant, ISO 27001 and SOC2 certified, secure public cloud infrastructure data centres where, as per the shared responsibility model, the provider is responsible for the security “of” the cloud: the environmental, physical, and underlying compute infrastructure. 

Bright use both Microsoft Azure and Amazon Web Services (AWS) public cloud services with data hosted in European regions. Where applicable, US and Indian client data is hosted in the associated relevant jurisdiction. 

Bright is responsible for the security “in” the cloud: the applications we deploy and the configuration of the infrastructure to support those deployments. 

We use cloud native tooling to constantly assess our cloud infrastructure against industry standard guidelines and best practice and follow recommended advice to maintain the overall security posture. The latest Centre for Internet Security (CIS) benchmarks are also considered. 

Bright are engaging with an expert third-party organisation to offer 24/7 Security Operations Centre (SOC) services covering our cloud infrastructure utilising native Security Information and Event Management (SIEM) tooling.  

Encryption 

Where our applications store credentials, these are encrypted in our database using an industry standard secure, one-way cryptographic hashing function with salt. Passwords are not stored in plaintext, and it is not possible to reverse engineer the stored equivalent.  

Bright are rolling out Azure B2C customer identity access management (CIAM) to prevent the need for storing password credentials within Bright application infrastructure. 

Data in Transit: HTTPS is mandated using minimum TLS v1.2 and prioritising the strongest SHA-256 cipher suites. 

Data at Rest: transparent data encryption is mandated for all databases, with secure key vault storage being used. 

DDoS Protection 

Bright deploy industry standard tooling to guard against Distributed Denial of Service (DDoS) attacks which can be used to take our customer services offline. 

Emerging Threats 

Bright subscribe to multiple resources and threat intelligence feeds to help drive our situational awareness and understand emerging threats, topics and breaches within industry which are used to help drive thinking, guidance and policy going forwards. 

ISO 27001  

Part of the Bright Group of Companies has already achieved ISO 27001 certification. During 2023, we are looking to increase the scope and roll out to the wider Group. 

Privacy / GDPR  

Bright are committed to complying with current data protection legislation in both Ireland and the UK. We are bound by the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 and maintain an up-to-date registration with the Information Commissioner’s Office (ICO) in the UK. 

We fully respect the rights of data subjects and do not sell, rent, or share data with any third party unless previously agreed as part of any contractual arrangement – published in our online list of subprocessors – to help provide our services. We contractually engage with third parties to ensure that they are subject to the same security standards in-line with GDPR requirements. 

Data Processing Addendum 

You can download a GDPR-compliant Data Processing Addendum (DPA) for your records, depending on your chosen service: 

Product SuiteData ProcessorDPA LinkVersion

BrightPay Products

Thesaurus Software Ltd t/a Bright 

here

v1.2.0

Surf products

SurfAccounts Ltd

here

v1.2.0

Relate products

Relate Software Development Ltd 

here

v1.2.0