Security
Everything you need to know about Bright’s security processes, data processing, and policies. Bright Software Group is Cyber Essentials certified.
Everything you need to know about Bright’s security processes, data processing, and policies. Bright Software Group is Cyber Essentials certified.
Bright use an online provider to deliver security awareness, training, and phishing exercises to all staff on a regular basis. We also have a dedicated Information Security channel for education, communication, and collaboration. To help better protect our customers from receiving phishing emails purporting to be from Bright, we ensure that Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance (DMARC) records are fully valid and in place.
Bright credentials are unique for all employees and contractors. Multi-factor authentication (MFA) is mandated and enforced (where possible) with Authenticator Apps preferred. For corporate Domain access, SMS as a second authentication factor is explicitly disabled to prevent SIM swapping and social engineering MFA fatigue attacks.
All corporate devices are centrally managed to ensure that a standard build configuration is maintained. This mandates disk encryption, firewall always-on settings and protective software installations. Hardening guidelines follow the latest Centre for Internet Security (CIS) benchmarks. Endpoint devices are protected from accessing malicious domains at the DNS level using a secure internet and web gateway, updated with global threat intelligence in real time. This ensures a level of protection wherever the device is used. Endpoint devices are further protected using industry leading Endpoint Detection & Response (EDR) technology to guard against malware, maintain an inventory of software on each machine, and the status of that software regarding security vulnerabilities and patch level. This feeds back into our centralised management tooling to ensure operating systems and deployed software are always maintained and up to date. EDR functionality is being expanded to include Managed Detection & Response (MDR) through a Managed Security Service Provider (MSSP) for 24/7 coverage.
The Bright corporate network maintains no key infrastructure and simply provides internet connectivity to already protected corporate devices via WPA2-PSK encrypted Wi-Fi with strong password (minimum 14-character length password). Bright are moving corporate access to certificate-based authentication. Internet connectivity is provided through dual pipes in an active/active configuration, protected using industry standard gateway technology. The corporate network is physically and logically separate to our customer application infrastructure, with no direct connectivity to client application cloud infrastructure.
All customer applications developed by Bright are developed in-house. We have a defined Secure Software Development Lifecycle (SSDLC) that incorporates:
Bright customer SaaS applications are hosted in GDPR-compliant, ISO 27001 and SOC2 certified, secure public cloud infrastructure data centres where, as per the shared responsibility model, the provider is responsible for the security “of” the cloud: the environmental, physical, and underlying compute infrastructure. Bright use both Microsoft Azure and Amazon Web Services (AWS) public cloud services with data hosted in European regions. Where applicable, US and Indian client data is hosted in the associated relevant jurisdiction. Bright is responsible for the security “in” the cloud: the applications we deploy and the configuration of the infrastructure to support those deployments. We use cloud native tooling to constantly assess our cloud infrastructure against industry standard guidelines and best practice and follow recommended advice to maintain the overall security posture. The latest Centre for Internet Security (CIS) benchmarks are also considered as well as running a SIEM 24/7 with automated anomaly alerting.
Where our applications store credentials, these are encrypted in our database using an industry standard secure, one-way cryptographic hashing function with salt. Passwords are not stored in plaintext, and it is not possible to reverse engineer the stored equivalent. Bright are rolling out Azure B2C customer identity access management (CIAM) to prevent the need for storing password credentials within Bright application infrastructure. Data in Transit: HTTPS is mandated using minimum TLS v1.2 and prioritising the strongest SHA-256 cipher suites. Data at Rest: transparent data encryption is mandated for all databases, with secure key vault storage being used.
Bright deploy industry standard tooling to guard against Distributed Denial of Service (DDoS) attacks which can be used to take our customer services offline.
Bright subscribe to multiple resources and threat intelligence feeds to help drive our situational awareness and understand emerging threats, topics and breaches within industry which are used to help drive thinking, guidance and policy going forwards.
At Bright Software Group, we have been ISO 27001 certified since 2021 and have recently undergone an annual surveillance audit (summer 2023) to maintain our certification.
Bright are committed to complying with current data protection legislation in both Ireland and the UK. We are bound by the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 and maintain an up-to-date registration with the Information Commissioner’s Office (ICO) in the UK. We fully respect the rights of data subjects and do not sell, rent, or share data with any third party unless previously agreed as part of any contractual arrangement – published in our online list of subprocessors – to help provide our services. We contractually engage with third parties to ensure that they are subject to the same security standards in-line with GDPR requirements.
You can download a GDPR-compliant Data Processing Addendum (DPA) for your records, depending on your chosen service:
Product Suite | Data Processor | DPA Link | Version |
---|---|---|---|
BrightPay Products | Thesaurus Software Ltd t/a Bright | here | v1.3.0 |
Surf products | SurfAccounts Ltd | here | v1.3.0 |
Relate products | Relate Software Development Ltd | here | v1.3.0 |
BTCSoftware products | BTCSoftware Ltd | here | v1.3.0 |
AccountancyManager products | AccountancyManager (AM) Ltd | here | v1.3.0 |