Security Practices
Encryption
- TLS 1.3 encryption for all data in transit
- AES-256 encryption at rest via Neon PostgreSQL
- AES-256-GCM field-level encryption for PII
- Automated key rotation with secure key management
Authentication
- Single Sign-On (SSO) with Google and Microsoft
- Multi-Factor Authentication (MFA / 2FA)
- Passwordless magic link authentication
- Brute force protection with account lockout
Audit Logging
- Tamper-proof audit logs with hash chaining
- Complete activity trail for all user actions
- Data classification labels on all entries
Session Management
- Secure session tokens with automatic expiration
- Concurrent session limits and remote revocation
- IP-based access restrictions (configurable)
Compliance
SOC 2 Type II Controls
Brighten maintains 30+ implemented controls mapped to the SOC 2 Trust Service Criteria across five categories:
GDPR Data Handling
- Consent management with full audit trail
- Data subject access requests (DSAR)
- Right to erasure and data portability
- Data Processing Agreement (DPA) management
Data Classification
All data is classified into four levels with appropriate controls:
Infrastructure
Vercel Edge Network
Global edge deployment with automatic HTTPS, DDoS protection, and CDN caching for optimal performance worldwide.
Neon PostgreSQL
Serverless PostgreSQL hosted in US East with automatic backups, point-in-time recovery, and AES-256 encryption at rest.
Upstash Redis
Serverless Redis for caching and rate limiting with in-memory fallback for high availability. Ephemeral data only.
Sentry Monitoring
Real-time error tracking, performance monitoring, and alerting. Anomalous patterns are detected and flagged automatically.
Subprocessors
The following third-party services process data on behalf of Brighten. All subprocessors are bound by Data Processing Agreements.
| Provider | Purpose | Data Access | Location |
|---|---|---|---|
| Vercel | Application hosting and edge network | Application code, request metadata | US / Global Edge |
| Neon | PostgreSQL database hosting | All application data (encrypted at rest) | US East |
| Stripe | Payment processing and billing | Billing details, subscription status | US |
| Sentry | Error monitoring and performance tracking | Error traces, anonymized usage data | US |
| Upstash | Redis caching and rate limiting | Session tokens, cached data (ephemeral) | US |
| Postmark / Resend | Transactional email delivery | Email addresses, notification content | US |
| Reloadly | Gift card rewards fulfillment | Recipient email, reward amount | US |
| Huuray | Gift card rewards fulfillment | Recipient email, reward amount | EU (Denmark) |
Data Handling
Retention Policies
- Active account data retained while subscription is active
- Audit logs retained for a minimum of 12 months
- Deleted account data purged from active systems within 30 days
- Backups purged within 90 days of account deletion
Your Rights
- Right to deletion — request full account and data removal
- Data portability — export your data in standard formats
- Access requests — obtain a copy of all stored personal data
- Consent withdrawal — revoke consent at any time
Incident Response
Our structured incident response process ensures rapid detection and resolution of security events:
Security Inquiries
Have questions about our security practices? Want to report a vulnerability? Reach out to our security team.
security@hellobrighten.com