Security

We care about security. If you have any questions, or encounter any issues, please contact us.
Security Trust Report
Cloud Provider to Terraform
Certified

Key takeways

We use encryption to keep your data private while in transit.
Our security features: “remote backend”, “sandboxed deployment” to help you protect your infrastructure data.
We review our information collection, storage, and processing practices to prevent unauthorized access to our systems.
The Brainboard production infrastructure is hosted in Cloud Service Provider (CSP) environments.
We restrict access to personal information to Brainboard employees, contractors, and agents who need that information in order to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

Product Security

Product security is of paramount importance at Brainboard. Brainboard uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.

Our security features: “remote backend”, “sandboxed deployment” to help you protect your infrastructure data.

Brainboard performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Brainboard adoption. In this way, Brainboard is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike. Brainboard is continuously improving our DevOps practice in an iterative fashion.

Physical Security

The Brainboard production infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for Brainboard production servers, which includes buildings, locks or keys used on doors, are managed by these CSP’s. “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.”

Corporate Security

Brainboard leverages internal services that require transport level security for network access and individually authenticate users by way of a central identity provider and leveraging two factor authentication wherever possible.

All Brainboard personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. Security training materials are developed for individual roles to ensure employees are equipped to handle the specific security oriented challenges of their roles.

Authentication and Access Management

End users may log in to Brainboard using an Identity Provider, leveraging Brainboard’s support for the Security Assertion Markup Language (SAML) or via the “Sign-in with Google” OpenID service. These services will authenticate an individual’s identity and may provide the option to share certain personally identifying information with Brainboard, such as your name and email address to pre-populate our sign up form. Brainboard’s SAML support allows organizations to control authentication to Brainboard and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.

All requests to the Brainboard API must be authenticated. Requests that write data require at least reporting access as well as an API key. Requests that read data require full user access as well as an application key. These keys act as bearer tokens allowing access to Brainboard service functionality.

Protection of Customer Data

Data submitted to the Brainboard service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Brainboard production service environment, except in limited circumstances such as in support of a customer request.

All data transmitted between Brainboard and Brainboard users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Brainboard application is inaccessible.

Brainboard utilizes encryption at various points to protect Customer Data and Brainboard secrets, including encryption at rest (e.g. AES-256), asymmetric encryption (e.g. PGP) for system backups, KMS-based protections for the protection of secrets (passwords, access tokens, API keys, etc.), and GPG encryption.

Access to Customer Data is limited to functions with a business requirement to do so. Brainboard has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Brainboard enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes. Brainboard has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.

Brainboard monitors critical infrastructure for security related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system level calls are logged to a central point where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or triggering additional authentication requirements.

Disclosure

If you believe you’ve discovered a bug in Brainboard’s security, please get in touch at security <at> brainboard.co and we will get back to you within 24 hours, and usually earlier. We request that you not publicly disclose the issue until we have had a chance to address it.

We are SOC2 certified

Brainboard is proud to announce it has successfully completed the System and Organization Controls (SOC) 2 Type II examination in recognition of its commitment to information security. Developed by the American Institute of CPAs (AICPA), SOC 2 (System and Organization Controls) defines criteria for managing customer data based on five "trust service principles" — security, availability, processing integrity, confidentiality, and #privacy.

A SOC 2 examination provides organizations with a report on an organization's internal controls and how it protects customer data and sensitive information. It is the standard for #datasecurity among digital companies in the U.S.

An independent auditor, Insight Assurance, conducted the detailed examination. Through this process, Brainboard demonstrated its adherence to data security, availability, and confidentiality standards developed by the American Institute of Certified Public Accountants (AICPA).

With its SOC 2 recognition, Brainboard not only protects the safety of its customers' data today but demonstrates that it has set the right standards in place for the future.

To earn SOC 2 #certification, Brainboard completed the following over a 6 months:
• Assessment of the design and operating effectiveness of Brainboard's controls
• Thorough examination of security of vendors and third parties
• Defined policies to ensure continued protection for customers and employees

Brainboard is excited to be taking this important step to further its data protection practices.